To BT site staff about utorrent 1.6.1 !

**FatBob** · 01-20-2008, 07:59 AM

Originally Posted by rvt

I've spent some time looking into this issue.

The POC code on milw0rm relies on creating a malicious torrent file which the uT user opens. On any sites without public uploads, or those that clean the uploaded torrents, there is no real problem.

Another issue mentioned on torrentfreak recently revolves around an overflow bug in extended messaging.
When an attacker sends a long enough string for version info, and the user views the peers tab, uT will crash.

1.6.x versions are not vulnerable to this attack, as they never display the version info obtained from extended messaging in the peers tab.
1.7.x are vulnerable.

Have not tested 1.8.x

1.6.x still has some life in it yet

Originally Posted by rvt

1.6.1 (488) fine
1.6.1 (489) fine
1.6.1 (490) fine
1.7.0 (3353) bugged
1.7.1 (3360) bugged
1.7.2 (3458) bugged
1.7.3 (4470) bugged
1.7.4 (4482) bugged
1.7.5 (4602) bugged

That's in relation to the new bug that allows anyone to crash your uT.

For the old POC code from milw0rm, it only works if an attacker can get you to open a torrent file with a very large announce URL, because the announce URL contains the exploit. On private sites using passkeys, that announce URL is changed anyway so a torrent you donwload from them can never contain the exploit.
For public trackers, you can stay safe if you open the file in torrentspy before opening in uT.
http://torrentspy.sourceforge.net/
If the announce URL is not valid, opening it in torrentspy will show you that.

i like to know the reason behind banning of 1.6.1 which is safe according to an experienced staff/coder !

update :

bitme, bitmetv, blackcats-games, what, waffles ,revtt have all unbanned 1.6.1

update 2 :

Originally Posted by rvt

for those sites who wont unban unless uT says it's ok.

http://forum.utorrent.com/viewtopic....300606#p300606
50% of people reading the changelog will be getting a copy of the old one. The new one is there though, and has removed mention of 1.6.x

Fix: remote crash bug (affects 1.7.x, and 1.8 builds released to date)

it doesnt affect 1.6.x

**LordS** · 01-20-2008, 08:39 AM

kool.

**grimms** · 01-20-2008, 08:43 AM

Nice topic. Kinda want to know myself. I did obviously upgrade though. Not going to risk my account for not following orders.

**pandabear** · 01-20-2008, 08:47 AM

Because if you check utorrent site they say 1.6.1 is vulnerable and many just take the info from that. But if rvt info, can be backed up by another coder, maybe staff will reconsider bans.

Also great post LordS

**rvt** · 01-20-2008, 09:14 AM

Edit: In regards to uT saying it affects 1.6.x, that is a lie put out to get people to upgrade.
One of the bittorrent devs said in their forum that it does not affect 1.6.x
http://forum.utorrent.com/viewtopic....298736#p298736
End Edit

It can be confirmed easily enough.

I have some php code for crashing uT posted at p2pg and tbdev. We have a fair amount of sites on p2pg, and they can spread the code out to other sysops/coders. The code is in the VIP section at tbdev to keep it out of the public eye. If any sysop wants a copy, drop me a PM.

The POC code for executing code on 1.6 is available at milw0rm. What it does is change the announce URL to a lot of code that doe not represent a real URL in any way. I would post an example, but it's full of all sorts of control characters and isn't pretty.

Any tracker using passkeys is going to replace that URL with their own one anyway, so none of these malformed torrents will be downloadable from private trackers.

On public trackers, these torrents will be deleted very quickly because the announce URL is not valid and so they cannot work on any client.

For anyone testing the milw0rm exploit, if you are getting segmentation faults, make sure the torrent file you use as input has a comment after the announce URL.
d8:announce10:01234567897:comment10:0123456789 << like that
The code uses the 7:comment part to work out where to split.

BTW, the milw0rm code does not work on XP SP2 far as I can tell.

**monk3y** · 01-20-2008, 09:18 AM

Originally Posted by rvt

Edit: In regards to uT saying it affects 1.6.x, that is a lie put out to get people to upgrade.
One of the bittorrent devs said in their forum that it does not affect 1.6.x
http://forum.utorrent.com/viewtopic....298736#p298736

It can be confirmed easily enough.

I have some php code for crashing uT posted at p2pg and tbdev. We have a fair amount of sites on p2pg, and they can spread the code out to other sysops/coders. The code is in the VIP section at tbdev to keep it out of the public eye. If any sysop wants a copy, drop me a PM.

The POC code for executing code on 1.6 is available at milw0rm. What it does is change the announce URL to a lot of code that doe not represent a real URL in any way. I would post an example, but it's full of all sorts of control characters and isn't pretty.

Any tracker using passkeys is going to replace that URL with their own one anyway, so none of these malformed torrents will be downloadable from private trackers.

On public trackers, these torrents will be deleted very quickly because the announce URL is not valid and so they cannot work on any client.

For anyone testing the milw0rm exploit, if you are getting segmentation faults, make sure the torrent file you use as input has a comment after the announce URL.
d8:announce10:01234567897:comment10:0123456789 << like that
The code uses the 7:comment part to work out where to split.

BTW, the milw0rm code does not work on XP SP2 far as I can tell.

thanks for the hard work rvt, it's great to know 1.6.1 is still good.
all we need to do now is convince staffers

**FatBob** · 01-20-2008, 09:24 AM

thanks a lot again rvt

ok so the ut forum itself says 1.6 is safe

and rvt has confirmed that private trackers wont be affected by this exploit

so what are we waiting for ? unban 1.6