546f74616c6c792072616e646f6d20746578742e20416d617a696e671f20696e6e69742e
I am having problems with my seedbox, because it has utorrent 1.6.1
It's an extension to the bittorrent protocol that allows them to send none standard messages about all kinds of extensions, from PEX to chat.
The messages are sent between peers.
The setup for extended messaging is done after the initial BT handshake, with bit 4 of the 5th byte in the reserved 8 bytes being set for extended messaging support. Once the BT handshake is done, you send the size of the packet as a 4 byte int, followed by char(20) and char(0) to represent an extended message handshake, then a dictionary. The dictionary contains an m entry which maps extensions to ID numbers, and possibly a p entry for port to send extended messages on and a v entry for version as a utf8 string.
An example:
d1:md11:LT_metadatai1e6:µT_PEXi2ee1:pi6881e1:v13:\xc2\xb5Torrent 1.2e
That maps LT_metadata plugin to ID 1, uT PEX to 2, the port to 6881 and the version to µTorrent 1.2
The messages can be sent by anyone who has completed the normal BT handshake. It would be someone that knows your port and IP as well as the hash, but that doesn't have to be someone in the swarm.
Thank you for an excellent explanation, rvt!
The bug now seems less grave than it used to. The hash is 320bit long as far as I could tell and guessing it + matching against an IP/port pair seems somewhat difficult, which would probably make it unlikely for anyone from outside the swarm to use this to gain undesired access to it. If the problem is only feasible from peers already within the swarm, then at least the panic regarding MPAA/IRAA/choose-a-4-letter-initials getting into your computer or the swarm could be avoided.
546f74616c6c792072616e646f6d20746578742e20416d617a696e671f20696e6e69742e
The extended messaging bug is not even related to the remote code exploit.
So the fear is definately overdone.
The POC code on milworm basically takes a torrent file as input and makes some changes to the announce URL. The big problem with that is that every single private tracker in existance and some public ones change the announce URL when you upload. The exploit is busted at the first step.
That's why nobody made much of a fuss about it 12 months ago.
So we have an old bug that affects 1.6.1 only if used to open a specially crafted torrent that was downloaded from a none private site, and a new bug that only affects versions after 1.6.x. If anything, it should be 1.7-1.7.5 that are banned, although I consider running a client that crashes every 10 minutes to be the users prerogative
Azureus 2.5.0.4 (Last version without the Zudeo client)
http://filehippo.com/download_azureus/?2321
Cannot get it of official page anymore. They are also trying to force people to upgrade it seems
Bookmarks