Avoid uTorrent desktop and Web client

[German]I don’t know if anyone else is using Bittorrent via the uTorrent client or their web client. For security reasons, you should not use the these clients any more.


Advertising


Tavis Ormandy from Google’s project zero has analyzed these clients. He warns about using these clients for security reasons and has documented the issues within this bug report at Chromium project. He wrote:

By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.

uTorrent web (web.utorrent.com)

uTorrent Web is a web interface through which you can access Bittorrent content via a browser. By default, uTorrent Web is configured to run on Windows system start, so that it is always running and accessible. For authentication, a random token is generated and stored in a configuration file. This token must be passed as a URL parameter for all requests.

If the user clicks the uTorrent taskbar icon, a browser window opens in which the authentication token is already entered in the URL. It looks like this:

http:[//]127.0.0.1:19575/gui/index.html?localauth=localapic3cfe21229a80938

Despite the 8-byte code it’s not trivial to launch a remote attack. However, the authentication information is stored in webroot. It only requires a few simple DNS rebinding attacks to access this information remotely. Once the attacker has this information, he can simply change the directory where torrents are stored. In other words: any files (which are writable) could be removed from the victim’s computer. All it takes is to lure the user to a prepared website.


Advertising

uTorrent Classic client

If you use the uTorrent client for the desktop instead of the web client, you will also run into problems. By default, utorrent Classic creates a JSON RPC server on port 10000. Ormandy writes, it’s not clear to him, that this was intentionally exposed to the web, as many endpoints crash or interfere with the UI. He set up a test page to demonstrate this flaws.

During the analysis, however, Ormandy noticed that the /proxy/ handler is enabled by default and exposed on the web. This allows any website to list and copy all downloaded files. Any website that users visit can read and copy any torrent that they have downloaded. This works with the default configuration.

In addition, Ormandy states that the binary file utorrent disables ASLR and /GS. A 3.5.3 beta of the desktop client is available and should close the security vulnerabilities. The web client is still vulnerable. Further details may be obtained at the Chromium bug report.


Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

One Response to Avoid uTorrent desktop and Web client

  1. Pingback: Stop using uTorrent @ AskWoody

Leave a Reply

Your email address will not be published. Required fields are marked *