GigaNews
View Full Version: FileSharing Talk

Threads in some sections have NO links for Guests, Register before you can view those threads or Log In now.
Your Ad Here

Pages: 1

µTorrent exploit revealed

(Click here to view the original thread with full colors/images)


Posted by: torrentslave

http://www.zeropaid.com/bbs/../news/upload/images/thumb/8400.jpgAccording to IT security experts, the latest version of uTorrent is vulnerable to remote exploits.

Today brings news that the popular BitTorrent client server uTorrent (http://www.zeropaid.com/bbs/../news/6184/uTorrent+-+A+Beginner%27s+guide+to+BitTorrent+downloading) is vulnerable to hackers that can infiltrate your PC and execute arbitr ary code if a user opens a manipulated torrent tracker file.

The apparent "glitch" in the software is that torrent tracker fields may contain an "announce" field. Well, if this "announce" field is longer than 4800 bytes, an internal µTorrent (http://www.zeropaid.com/bbs/../news/6184/uTorrent+-+A+Beginner%27s+guide+to+BitTorrent+downloading) buffer overflows, thereby allowing hackers to run their exploits.

For now it's only µTorrent 1.6 build 474 that is affected but, older versions may also contain the bug, and a new version to fix the problem is not yet available.

http://filesharingtalk.com/vb3/images/smilies/news_source.gif Source: http://digg.com/tech_news/mTorrent_gets_hacked_Remote_exploit_revealed

__________________________________________________

got this info on another forum


Posted by: gamer4eva

That sucks.....going to switch now!!!!


Posted by: Niteghost

Just lost my appetite, SUCKS bigtime, I guess Azueus:( :( :( :( :( :( :(


Posted by: Jab

Apparently works on XP SP1 and w2k sp1-4


Posted by: gamer4eva

Well it only affects those with announce higher than 4800bytes whatever that means.....


Posted by: Acidice

hmm... how prominent is this? I really don't wanna switch to the cpu-consuming AZ :(


Posted by: gamer4eva

hmm... how prominent is this? I really don't wanna switch to the cpu-consuming AZ :(

Neither do i......:(


Posted by: Shadowfire

Heh, and with this, uT does downhill ........


Posted by: gamer4eva

Heh, and with this, uT does downhill ........

Utorrent began to go downhill when it sold out....:lol:


Posted by: torrentslave

yep sucks big harry balls!!!!


Posted by: DefX

this is very upsetting. what are good alternatives out there aside from azureus? Something that doesnt consume lots of RAM.


Posted by: Alien5

wait for the fix.


Posted by: Jaits

the tracker owners can perform the fix in the tracker to not allow the faulty torrent to be uploaded.... u shouldnt really be opening torrents that other ppl send u anyhow...

the current shellcode doesnt affect sp2 so most users will be safe....


Posted by: vali

the tracker owners can perform the fix in the tracker to not allow the faulty torrent to be uploaded.... u shouldnt really be opening torrents that other ppl send u anyhow...

the current shellcode doesnt affect sp2 so most users will be safe....



..........Safe? The only sharing that is safe, is the hand to hand sharing.

LOL


Posted by: abu_has_the_power

this shouldn't be a problem if you get your torrents from legit sites


Posted by: nebcat

Oh my god! Switching...Thanks for the heads up!


Posted by: erRor67

The latest beta fixes this problem.


Posted by: ewerest

"it only affects those with announce higher than 4800bytes"
and this kind of .torrent files are produced by porposely to hack you.so in the private trackers there is no need to worry about.


Posted by: Sentient

Heh, and with this, uT does downhill ........

Jesus, there's overreacting and then there's you guys. It doesn't even affect the latest build.


Posted by: S!X

ah excellent news.. they need a new final build in the works asap...


Posted by: 4play

It really should be a simple fix for this. Im just wondering why there isnt a new version out already.


Posted by: vipdiablo

yep sucks


Posted by: biggrizz

This is a bit worrying.I hope something is done soon


Posted by: Appzalien

I'd heard that some devious character took over the utorrent servers and I remember commenting to the poster and replyers that it didn't matter because utorrent didn't automatically update itself, you would have to download a new version created by this new owner to be vulnerable. And as long as you remained at the last version before he took over you should be ok.

Now that I hear utorrent itself warning customers that "if you know whats good for you you better update" I'm skeptical that a hole even exists. If the posters from before were indeed right, and this guy is devious, then this warning sounds devious as well. I don't know which is worse using an app with a security hole that has never been exploited (although it probably will be now!) or updating to a new version perhaps created with the mpaa and riaa's blessing for all I know.

The third option seems best to me, dump utorrent and use a different p2p client.


Posted by: Hairbautt

Check nsane, µTorrent 1.6.1.488 Final (http://www.nsaneproductions.com/forums/?showtopic=5525). Besure to subscribe to thread.


Posted by: mr. nails

488 is released now. meh, i'll update sometime. lol, why are all u worried? do u save credit card numbers and/or bank account numbers on ur pc? if not.. what's the prob?

- Feature: Select upload/download speed for a torrent through the rightclick menu
- Feature: Added encryption box to speed guide
- Change: Don't check as many pieces at the same time.
- Change: Misc WebUI changes.
- Change: Switch to JSON for webinterface
- Fix: Problem with category list in the gui when updated from the webui
- Fix: WebUI not clearing state between requests.
- Fix: Redirect also index.html to guest.html
- Fix: Added On Now shows the time it's added, not loaded.
- Fix: JSON uses " instead of '
- Fix: (a) Upnp fix
- Fix: Show pause icon when checking is paused.
- Fix: Fixed problems with XML parser
- Fix: Don't allow two message boxes to be shown in the RSS window
- Fix: Changed some window titles
- Fix: Fix malformed .torrent exploit
- Fix: Boss key field is now larger


Posted by: Exploit

yeahh but still a beta :(


Posted by: mr. nails

yeahh but still a beta :(

it's official. not beta. just cuz it's not on the utorrent site yet doesn't mean it's beta. lol, i have my resources. u'll see.


Posted by: Hairbautt

yeahh but still a beta :(
It's posted and says "Final" :unsure:


Posted by: reachnet

I'd heard that some devious character took over the utorrent servers and I remember commenting to the poster and replyers that it didn't matter because utorrent didn't automatically update itself, you would have to download a new version created by this new owner to be vulnerable. And as long as you remained at the last version before he took over you should be ok.

Now that I hear utorrent itself warning customers that "if you know whats good for you you better update" I'm skeptical that a hole even exists. If the posters from before were indeed right, and this guy is devious, then this warning sounds devious as well. I don't know which is worse using an app with a security hole that has never been exploited (although it probably will be now!) or updating to a new version perhaps created with the mpaa and riaa's blessing for all I know.

The third option seems best to me, dump utorrent and use a different p2p client.

That's one of the best examples of "brain-FUD" I think I've ever seen. Congrats ! ;)
To believe or not to believe that is the question. ;)
If it's all the same with you, I think I'll upgrade anywayz ! ;)


Posted by: erRor67

yeahh but still a beta :(

it's official. not beta. just cuz it's not on the utorrent site yet doesn't mean it's beta. lol, i have my resources. u'll see.
Yes, its a final build. Download it here: http://download.utorrent.com/1.6.1/utorrent.exe

And just so you guys know, this exploit was fixed in a beta build back in July 2006. ;)


Posted by: mr. nails

I'd heard that some devious character took over the utorrent servers and I remember commenting to the poster and replyers that it didn't matter because utorrent didn't automatically update itself, you would have to download a new version created by this new owner to be vulnerable. And as long as you remained at the last version before he took over you should be ok.

Now that I hear utorrent itself warning customers that "if you know whats good for you you better update" I'm skeptical that a hole even exists. If the posters from before were indeed right, and this guy is devious, then this warning sounds devious as well. I don't know which is worse using an app with a security hole that has never been exploited (although it probably will be now!) or updating to a new version perhaps created with the mpaa and riaa's blessing for all I know.

The third option seems best to me, dump utorrent and use a different p2p client.

stole the quote....

yep, exactly. probably why i'll be installing azureus again anyhow. as, i've not yet intalled this "new" version of utorrent and i mite not.


Posted by: lynx

This exploit is officially fixed in 1.6.1 build 489, released yesterday.

As erRor67 says, rumour is that it was actually fixed (as a tidying of the code) in the initial release of the Beta back in July 2006, but they hadn't thought of it as a vulnerability so it wasn't mentioned until now.

I've been using the Beta since then and I'm very happy with it, the changes in this final release are minimal and nothing to do with the sellout to bittorrent.


Posted by: Chip Monk

Cheers for the info, lynx.

Is it best to remove an older version then do a fresh install or is it OK to just download the installer and run it.


Posted by: kabloomz

Cheers for the info, lynx.

Is it best to remove an older version then do a fresh install or is it OK to just download the installer and run it.


fresh install... dont forget to remember ur settings (if u use any other than default)...

Kab


Posted by: Hairbautt

Cheers for the info, lynx.

Is it best to remove an older version then do a fresh install or is it OK to just download the installer and run it.


fresh install... dont forget to remember ur settings (if u use any other than default)...

Kab
You can backup the the settings in the docs&settings/applicationdata/utorrent


Posted by: mr. nails

this final release are minimal and nothing to do with the sellout to bittorrent.

how do u know?


Posted by: Hairbautt

At nsane:

So, safe to use after µtorrent joinup with bittorrent?

Bittorrent, Inc bought the right to use uTorrent's core. They do not own uTorrent, or have any power to interfere with the development.

I just keep checking to see if anyone has problems, so far none.


Posted by: mike7778

HAS anyone had any problems with Utorrent?


Posted by: S!X

Cheers for the info, lynx.

Is it best to remove an older version then do a fresh install or is it OK to just download the installer and run it.

I just replaced my .exe file in the installation directory since this version doesn't have an installer.


Posted by: mr. nails

no official release in about a year and now 3 releases in 3 days. 490 is out. lol, have fun.


Posted by: Jaits

the tracker owners can perform the fix in the tracker to not allow the faulty torrent to be uploaded.... u shouldnt really be opening torrents that other ppl send u anyhow...

the current shellcode doesnt affect sp2 so most users will be safe....



..........Safe? The only sharing that is safe, is the hand to hand sharing.

LOL

maybe for u in terms of ur reality.... which i guess is quite limited....


Posted by: Washy

Has the issue been resolved with the latest release?

W.


Posted by: mr. nails

Has the issue been resolved with the latest release?

W.

i was never having an issue with version 1.6 build 474. i won't be updating anytime soon either. also, my build i'm using works with windows vista ultimate 64bit edition for those who need to know.


Posted by: tailz

Switch!


Posted by: durex

HAS anyone had any problems with Utorrent?

no problems, so far ...
:)





vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Limited.
vB Easy Archive Final ©2000 - 2008 - Created by Stefan "Xenon" Kaeser