Dark Archon
01-18-2008, 07:33 AM
Hi all
This is urgent news for all of those who uses private trackers, especially What.cd/waffles or any of the popular ones
SWITCH TO UTORRENT 1.7.6 (if you are using utorrent ofcourse) NOW OR YOU WILL PROBABLY BE BANNED ON EVERY TRACKER
Whatcd
The staff at What.cd highly recommend you immediately update to 1.7.6 if you are using the uTorrent client. There is a bug that will allow a user (or agency) to remotely crash your client. The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
You can read the news story here http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/
2008-01-15: Version 1.7.6 (build 7859)
- Change: do not use adapter subnet to identify local peers
- Fix: double-clicking to open items in RSS releases tab
- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)
- Fix: limit local peers if disk is congested
There are also reports of a s PoC code to EXECUTE code on overflow, so this would allow a remote attacker to run code on your machine.
Even if they are unable to execute code, the health of our swarms are highly at risk. Anti P2P agencies will quite possibly be running bots to crash clients as soon as they can, which could easily be before you've even read this announcement. A very large percentage of all peers on all trackers are running a vulnerable client and these bots can and will destroy swarms.
It is very likely we will be banning all vulnerable uTorrent clients, the few users we may lose because of not allowing 1.6.x will secure the survival of the swarm. As it is now if users do not upgrade and we continue to allow the flawed versions a bot run to crash peers on this tracker could easily cut our peers and even our seeded torrents in half. To achieve herd immunity we will likely be forced to make this update mandatory, as I know many of you are stubborn on upgrading past the 1.6 series ( I too was a 1.6.1 user until now).
You can ofcourse switch to another client altogether, there will be some sites that are slower to allow 1.7.6 but I am fairly sure when I say it will move alot faster than other whitelistings, and it is quite possible many or most sites will even ban previous versions as we will have to do if the majority ignore warning and put our swarms at risk of being DOS'd.
Update from a BMTV sysop generally the last site to allow new builds
"I've just added uTorrent 1.7.6 to the allow list after find out about the Static Overflow.
Vulnerable Systems:
* BitTorrent version 6.0 build 5535 and prior
* uTorrent version 1.7.5 build 4602 and prior
* uTorrent version 1.8-alpha-7834 and prior
There is already code out there to take over an XP machine running uTorrent 1.6."
So don't think we are alone in thisWaffles
Waffles users using µTorrent must update to 1.7.6 by Jan-20-08. The sooner, the better.
There is a bug that will potentially allow a user/agency to crash your client. There are rumors that it may be even possible to execute code.
You can read more on this issue here: http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/
"The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue."
You may download the updated client here: http://download.utorrent.com/1.7.6/utorrent.exe
You can also check for updates within the client itself, using Help -> Check for updates
"So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)"
After January 19th, non-updated clients will be banned.According to TorrentFreak:
uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008
Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,
uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.
Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.
So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)
Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.
The bug in detail (from Luigi’s site):
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.
In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).
When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.
If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.
For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
Make your switch to uTorrent 1.7.6
http://www.utorrent.com/download.php
For Change logs
http://download.utorrent.com/1.7.6/utorrent-1.7.6.txt
Take care and switch..all other trackers will be notified as well shortly.
This is urgent news for all of those who uses private trackers, especially What.cd/waffles or any of the popular ones
SWITCH TO UTORRENT 1.7.6 (if you are using utorrent ofcourse) NOW OR YOU WILL PROBABLY BE BANNED ON EVERY TRACKER
Whatcd
The staff at What.cd highly recommend you immediately update to 1.7.6 if you are using the uTorrent client. There is a bug that will allow a user (or agency) to remotely crash your client. The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
You can read the news story here http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/
2008-01-15: Version 1.7.6 (build 7859)
- Change: do not use adapter subnet to identify local peers
- Fix: double-clicking to open items in RSS releases tab
- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)
- Fix: limit local peers if disk is congested
There are also reports of a s PoC code to EXECUTE code on overflow, so this would allow a remote attacker to run code on your machine.
Even if they are unable to execute code, the health of our swarms are highly at risk. Anti P2P agencies will quite possibly be running bots to crash clients as soon as they can, which could easily be before you've even read this announcement. A very large percentage of all peers on all trackers are running a vulnerable client and these bots can and will destroy swarms.
It is very likely we will be banning all vulnerable uTorrent clients, the few users we may lose because of not allowing 1.6.x will secure the survival of the swarm. As it is now if users do not upgrade and we continue to allow the flawed versions a bot run to crash peers on this tracker could easily cut our peers and even our seeded torrents in half. To achieve herd immunity we will likely be forced to make this update mandatory, as I know many of you are stubborn on upgrading past the 1.6 series ( I too was a 1.6.1 user until now).
You can ofcourse switch to another client altogether, there will be some sites that are slower to allow 1.7.6 but I am fairly sure when I say it will move alot faster than other whitelistings, and it is quite possible many or most sites will even ban previous versions as we will have to do if the majority ignore warning and put our swarms at risk of being DOS'd.
Update from a BMTV sysop generally the last site to allow new builds
"I've just added uTorrent 1.7.6 to the allow list after find out about the Static Overflow.
Vulnerable Systems:
* BitTorrent version 6.0 build 5535 and prior
* uTorrent version 1.7.5 build 4602 and prior
* uTorrent version 1.8-alpha-7834 and prior
There is already code out there to take over an XP machine running uTorrent 1.6."
So don't think we are alone in thisWaffles
Waffles users using µTorrent must update to 1.7.6 by Jan-20-08. The sooner, the better.
There is a bug that will potentially allow a user/agency to crash your client. There are rumors that it may be even possible to execute code.
You can read more on this issue here: http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/
"The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue."
You may download the updated client here: http://download.utorrent.com/1.7.6/utorrent.exe
You can also check for updates within the client itself, using Help -> Check for updates
"So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)"
After January 19th, non-updated clients will be banned.According to TorrentFreak:
uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008
Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,
uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.
Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.
So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)
Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.
The bug in detail (from Luigi’s site):
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.
In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).
When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.
If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.
For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
Make your switch to uTorrent 1.7.6
http://www.utorrent.com/download.php
For Change logs
http://download.utorrent.com/1.7.6/utorrent-1.7.6.txt
Take care and switch..all other trackers will be notified as well shortly.