BitTorrent Client uTorrent Suffers Security Vulnerability

The popular torrent software, uTorrent, was found to have a serious vulnerability. According to Tavis of the Google Project-Zero, the uTorrent software is vulnerable to remote attacks. The way it works is that an attacker can user a website to perform a simple DNS Rebinding attack to download malware anywhere onto the victim’s computer through the uTorrent software. It is suggested to either stop using the software entirely or do not have the uTorrent software running when not in use till the issue is fixed. To see a working demo of this attack, go to Google Project-Zero page for the uTorrent.



Here's what we know from Tavis:

By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest().

To be clear, visiting *any* website is enough to compromise these applications. uTorrent web (http://web.utorrent.com)

======================================

As the name suggests, uTorrent Web uses a web interface and is controlled by a browser as opposed to the desktop application. By default, uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests. When you click the uTorrent tray icon, a browser window is opened with the authentication token populated, it looks like this:

http://127.0.0.1:19575/gui/index.html?localauth=localapic3cfe21229a80938:

While not a particularly strong secret (8 bytes of std::random_device), it at least would make remote attacks non-trivial. Unfortunately however, the authentication secret is stored inside the webroot (wtf!?!?!?!), so you can just fetch the secret and gain complete control of the service.

$ curl -si http://localhost:19575/users.conf HTTP/1.1 200 OK Date: Wed, 31 Jan 2018 19:46:44 GMT Last-Modified: Wed, 31 Jan 2018 19:37:50 GMT Etag: "5a721b0e.92" Content-Type: text/plain Content-Length: 92 Connection: close Accept-Ranges: bytes localapi29c802274dc61fb4        bc676961df0f684b13adae450a57a91cd3d92c03 94bc897965398c8a07ff     2      1

This requires some simple dns rebinding to attack remotely, but once you have the secret you
can just change the directory torrents are saved to, and then download any file anywhere
writable...

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524

For more Information on the vulnerability go to: 260blog.com

Tags: