I've spent some time looking into this issue.

The POC code on milw0rm relies on creating a malicious torrent file which the uT user opens. On any sites without public uploads, or those that clean the uploaded torrents, there is no real problem.

Another issue mentioned on torrentfreak recently revolves around an overflow bug in extended messaging.
When an attacker sends a long enough string for version info, and the user views the peers tab, uT will crash.

1.6.x versions are not vulnerable to this attack, as they never display the version info obtained from extended messaging in the peers tab.
1.7.x are vulnerable.

Have not tested 1.8.x

1.6.x still has some life in it yet :P


1.6.1 (488) fine
1.6.1 (489) fine
1.6.1 (490) fine
1.7.0 (3353) bugged
1.7.1 (3360) bugged
1.7.2 (3458) bugged
1.7.3 (4470) bugged
1.7.4 (4482) bugged
1.7.5 (4602) bugged

That's in relation to the new bug that allows anyone to crash your uT.

For the old POC code from milw0rm, it only works if an attacker can get you to open a torrent file with a very large announce URL, because the announce URL contains the exploit. On private sites using passkeys, that announce URL is changed anyway so a torrent you donwload from them can never contain the exploit.
For public trackers, you can stay safe if you open the file in torrentspy before opening in uT.
http://torrentspy.sourceforge.net/
If the announce URL is not valid, opening it in torrentspy will show you that.

i like to know the reason behind banning of 1.6.1 which is safe according to an experienced staff/coder !

:mellow:


update :

bitme, bitmetv, blackcats-games, what, waffles ,revtt have all unbanned 1.6.1

:)

update 2 :


for those sites who wont unban unless uT says it's ok.

http://forum.utorrent.com/viewtopic.php?pid=300606#p300606
50% of people reading the changelog will be getting a copy of the old one. The new one is there though, and has removed mention of 1.6.x


Fix: remote crash bug (affects 1.7.x, and 1.8 builds released to date)

it doesnt affect 1.6.x

:)

kool.

Nice topic. Kinda want to know myself. I did obviously upgrade though. Not going to risk my account for not following orders.

Because if you check utorrent site (http://forum.utorrent.com/viewtopic.php?id=29330) they say 1.6.1 is vulnerable and many just take the info from that. But if rvt info, can be backed up by another coder, maybe staff will reconsider bans.

Also great post LordS

Edit: In regards to uT saying it affects 1.6.x, that is a lie put out to get people to upgrade.
One of the bittorrent devs said in their forum that it does not affect 1.6.x
http://forum.utorrent.com/viewtopic.php?pid=298736#p298736
End Edit

It can be confirmed easily enough.

I have some php code for crashing uT posted at p2pg and tbdev. We have a fair amount of sites on p2pg, and they can spread the code out to other sysops/coders. The code is in the VIP section at tbdev to keep it out of the public eye. If any sysop wants a copy, drop me a PM.

The POC code for executing code on 1.6 is available at milw0rm. What it does is change the announce URL to a lot of code that doe not represent a real URL in any way. I would post an example, but it's full of all sorts of control characters and isn't pretty.

Any tracker using passkeys is going to replace that URL with their own one anyway, so none of these malformed torrents will be downloadable from private trackers.

On public trackers, these torrents will be deleted very quickly because the announce URL is not valid and so they cannot work on any client.

For anyone testing the milw0rm exploit, if you are getting segmentation faults, make sure the torrent file you use as input has a comment after the announce URL.
d8:announce10:01234567897:comment10:0123456789 << like that
The code uses the 7:comment part to work out where to split.

BTW, the milw0rm code does not work on XP SP2 far as I can tell.

Edit: In regards to uT saying it affects 1.6.x, that is a lie put out to get people to upgrade.
One of the bittorrent devs said in their forum that it does not affect 1.6.x
http://forum.utorrent.com/viewtopic.php?pid=298736#p298736

It can be confirmed easily enough.

I have some php code for crashing uT posted at p2pg and tbdev. We have a fair amount of sites on p2pg, and they can spread the code out to other sysops/coders. The code is in the VIP section at tbdev to keep it out of the public eye. If any sysop wants a copy, drop me a PM.

The POC code for executing code on 1.6 is available at milw0rm. What it does is change the announce URL to a lot of code that doe not represent a real URL in any way. I would post an example, but it's full of all sorts of control characters and isn't pretty.

Any tracker using passkeys is going to replace that URL with their own one anyway, so none of these malformed torrents will be downloadable from private trackers.

On public trackers, these torrents will be deleted very quickly because the announce URL is not valid and so they cannot work on any client.

For anyone testing the milw0rm exploit, if you are getting segmentation faults, make sure the torrent file you use as input has a comment after the announce URL.
d8:announce10:01234567897:comment10:0123456789 << like that
The code uses the 7:comment part to work out where to split.

BTW, the milw0rm code does not work on XP SP2 far as I can tell.

thanks for the hard work rvt, it's great to know 1.6.1 is still good.
all we need to do now is convince staffers :)

thanks a lot again rvt :)

ok so the ut forum itself says 1.6 is safe

and rvt has confirmed that private trackers wont be affected by this exploit


so what are we waiting for ? unban 1.6 :happy:

still no comments from other bt staff ? huh

Probably not until uTorrent them selves say it is safe again. Until then, probably not.

BCG is allowing 1.6.#

we are banning all 1.7 earlier than 1.7.6

and we dont allow alpha/beta anyway so 1.8 is not allowed yet.

Alpha's tend to be really buggy anyways. I would diverge users from them, unless your a developer or beta tester of course.

i would like to go back to 1.6.1 just because 1.7.6 takes me 30 seconds or more before it actually starts downloading anything and ive even had a few times where it didnt connect to any peers until i restarted utorrent. could be a problem on my end, but it hasnt ever happened on 1.6.1. nice work rvt.

^Never experienced anything similar...

http://tbn0.google.com/images?q=tbn:IEd_63aWHFc0bM:http://www.shahrulnizam.org/pwned.jpg

i would like to go back to 1.6.1 just because 1.7.6 takes me 30 seconds or more before it actually starts downloading anything and ive even had a few times where it didnt connect to any peers until i restarted utorrent. could be a problem on my end, but it hasnt ever happened on 1.6.1. nice work rvt.

I agree. Also i can't use myspleen now. They banned ut 1.7.6. Bad client according to them. I now also have problems downloading from some trackers. It may change now though since alot of people are forced to upgrade since most trackers have now offically banned 1.6.1 (most not all).

ffs, i was forced to upgrade to 1.7.6 cuz revTT allows no earlier versions.
TL also recommends upgrading.

i hope this situation is just temporary and they will allow again using 1.6.x versions. i agree with the ban on 1.7.x prior to 1.7.6 though.

As pointed out by rvt, the vulnerability is exploited by crafting a specific tracker URL. Practically every private torrent site will change the URL by adding a passkey to it, therefore destroying any attempt at a malicious URL.

The only place where these exploits can actually be practised would be on the public trackers, because if anyone was stupid enough to try this on a private tracker, their details would be circulated quicker than a Scotsman could down a bottle of whisky.

SCT have forced upgrading, so the massive userbase there, who are indeed shared amongst FSC and FTN will have upgraded. As long as a few big torrent sites force the move to 1.7.6 (what and waffles did as well?) i doubt many will remain with 1.6.1 (except those still caught up in the consipracy theories)

Edit: In regards to uT saying it affects 1.6.x, that is a lie put out to get people to upgrade.
One of the bittorrent devs said in their forum that it does not affect 1.6.x


Yes, its obvious. Even 1.6 has not such a vulnerability unless you are using xp without upgrades. My utorrent always crashed when my computer auto-shut down during power failures with xp with no service packs installed. However, since when i upgraded with sp2, there are no problems. Still i'm using 1.6, not even 1.6.1

Why trackers enforce it? I find only one reason. Many complain in the forums that their utorrent crashed and so they couldn't seed acc to tracker rules. The result is obvious. I always keep a back up copy of my utorrent settings, though i never needed to use it.

Another reason could be cheating. Staff might think they can beat cheaters cause they might have the old version based cheating clients. lol
However, i'm not against this forced upgrade, but if all trackers do it, it'd be appreciated.

...

i doubt many will remain with 1.6.1 (except those still caught up in the consipracy theories)

It's not just about conspiracy theories anymore though is it?
Even if you disregard the fact that utorrent development is now partly funded by 20th Century Fox etc, this situation has proven that every version of the client since BitTorrent Inc took over has had serious flaws. That diminishes my confidence beyond just being paranoid.

None of the sites that I use have bought into the scaremongering about 1.6 yet, so I'll continue using it. Never had a problem with it so why change?

:cool:

The staff might have their own reasons that they don't want to reveal? Or is it the only good version after utorrent 1.6.1 that they want all users use the same in order to ease check on cheaters?

that is a lie put out to get people to upgrade.

I was pretty damn sure about this.

As pointed out by rvt, the vulnerability is exploited by crafting a specific tracker URL. Practically every private torrent site will change the URL by adding a passkey to it, therefore destroying any attempt at a malicious URL.

The only place where these exploits can actually be practised would be on the public trackers, because if anyone was stupid enough to try this on a private tracker, their details would be circulated quicker than a Scotsman could down a bottle of whisky.

so why does some private trackers ban it ? :sadwalk:

they dont have good coders that can actually test this issue ?


maybe we should post this thread in every private tracker forum ! :mellow:

i still hope sct and hdbits will change their minds again..
its quite stupid to read in the hdbits forum something like hey µ 1.6.1 is old, upgrade to 1.7.6!..
if they dont change it i will have to switch to another client i have no problems with as i always had funny time outs with 1.7.x versions.. and some other weird problems..

version 1.7.6 is finally starting to act stable finally. Still miss utorrent 1.6 though. Seem to can't let it go i guess..

I hate seeing that red bar when we click on files which is otherwise white in 1.6.1 lol

Best to keep everything up to date, good move for bittorrent trackers

+1

RevTT have also banned all version of utorrent except 176 :)

RevTT have also banned all version of utorrent except 176 :)
why are you happy about it?
and that a site bans a well working versions of a client doesnt proof anything..
if a large amount of users wants to stick to µ 1.6.1 there is no point in saying hey we ban the client bc we can..
if you dont have vista and dont use https the rss-reader there is no point in getting the new version..
or have i missed a major improvement in all these many new versions?

so bitmetv has allowed 1.6.1 ? correct ? :)

They have alowed 1.6.1 to remain revtt an admin confirmed it bitmetv it's on the front page i think now most trackers will allow it to stay

blame the +1 chain.

Let "A" be a person with an excellent reputation (say, staff of "high lvl" tracker or even say coders of utorrent) then the +1 chain is given as:







1.7.6 is better than 1.6.1

+1

+1

+1

+1

i forgot what comes after F :(

http://x264.eu/


uTorrent exploit
- it has come to light that the exploit actually does not affect 1.6.x so 1.6.1 is still the recommended version.
- interesting how it got so much worse after it was sold http://x264.eu/pic/smilies/confused.gif

so more sites are sticking to the 1.6.1 version :)

where can I find 1.6.1 build 490?

probably oldversion.com (havnt checked but if its anywhere its there)

where can I find 1.6.1 build 490?

http://www.download3000.com/download_19049.html

:)

most trackers have unbanned 1.6.1, but why dont u just use the newer version?

where can I find 1.6.1 build 490?

http://www.download3000.com/download_19049.html

:)

http://oldversion.com/program.php?n=utorrent

Oldversion.com has many old versions stored for your most popular programs. Great site, check it out.

not on either of those two links

most trackers have unbanned 1.6.1, but why dont u just use the newer version?

i havent see many trackers have unbanned 161 at all..can u tell some except waffles and what?

@sleepyy

its not true RevTT havent allowed or tell that they will allowed again 161..i have read forum and havent find anything abouth 161 be allowed there or i have missunderstand something else :P

@sokrates


why are you happy about it?
and that a site bans a well working versions of a client doesnt proof anything..
if a large amount of users wants to stick to µ 1.6.1 there is no point in saying hey we ban the client bc we can..
if you dont have vista and dont use https the rss-reader there is no point in getting the new version..
or have i missed a major improvement in all these many new versions?

lol im not happy and i really dont care,but many major sites have banned 161 and that is telling me somthing:)

i have also used 161 before but i dont see point of not upgradeing to new version..:)

Hmm just saw this on the main page of Revtt .


NEWS FLASH - Over 4,000 Banned in 10 days Beware!!


Due to a remotely exploitable crash bug found in previous versions of µtorrent (including early 1.8 alpha), we're asking all members using this client to update to version 1.7.6.

Get 1.7.6 stable here
The alpha 1.8 build 7928 can be found here

Previous versions will no longer work with the tracker. This goes into effect immediately.

Thank you for understanding.

:loverevo://Staff

Peat moss: I love ur siggy :p

The best part over 1.6.1 with 1.7.x is the fact you can edit the individual upload and download limits for each torrent with right click, so you can select a whole lot of them and put them to a lower limit when you want a certain torrent to seed heavier.

Hmm just saw this on the main page of Revtt .


NEWS FLASH - Over 4,000 Banned in 10 days Beware!!


Due to a remotely exploitable crash bug found in previous versions of µtorrent (including early 1.8 alpha), we're asking all members using this client to update to version 1.7.6.

Get 1.7.6 stable here
The alpha 1.8 build 7928 can be found here

Previous versions will no longer work with the tracker. This goes into effect immediately.

Thank you for understanding.

:loverevo://Staff

They banned all those people beacause they had open signups a few days ago. Those were dupe or foney accounts. It has nothing to do with these (much talked about) versions of utorrent.

lol im not happy and i really dont care,but many major sites have banned 161 and that is telling me somthing:)
Yep, it proves my favourite one liner, people are stupid.

When you have a large group of people, they cease to function as individuals capable of independant thought. Accepting that 1.6.1 is bad because some other sheeple said so just makes you another sheep.
All those sites that banned it should put up or stop bleating.

1.76 is not as good as the older versions, it takes really long to connect to the peers and it seems that there is a max num of peers you can connect to - that I think is hard coded internally. The options in utorrent dont seems to rectify that

I was away for a few days and missed the whole exploit brouhaha...just checked my 1.6.1 and the revtt torrents are seeding fine. Did they unban it or do they still expect users to upgrade?

great , now what.cd and waffles.fm has unbanned ut 1.6.1 :)

We've seen this before versions get banned and as time goes by staff test them and so on and different versions become allowed again.

FatBob: you might want to add this to the original post for those sites who wont unban unless uT says it's ok.

http://forum.utorrent.com/viewtopic.php?pid=300606#p300606
50% of people reading the changelog will be getting a copy of the old one. The new one is there though, and has removed mention of 1.6.x

done rvt !

really appreciate all your hard work :)

thread updated

for those looking for a link to the uttorent 1.6 i have uploaded it to rapidshare i had it in a registry cd that i had put away so here is the link you all.

http://rapidshare.com/files/85656043/uTorrent-1.6.1-install.rar.html

^ http://filehippo.com/download_utorrent :/

Had to dash out this morning, but here's the link for the new changelog.
http://72.20.34.146/1.7.6/utorrent-1.7.6.txt

You can verify that the IP is utorrents by typing this in a console window:

nslookup download.utorrent.com
One of the two addresses sent back will be the IP above.

utorrent 1.6.1 will no longer be banned. It is official.

revtt

:)

I have to ask. How can people say 1.6.1 is so great, when in that change log there is heaps of changes in subsequent 1.7.xx versions, meaning those bugs were present in 1.6.1. Unless i am wrong to assume 1.7 was just a carry on from 1.6, with some BT inc coding.

A lot of the fixes in 1.7.0 1065 were for minor issues, such as logging and display issues.

If we eliminate all logging and UI fixes, we're left with:


1) - Fix: Stopped/paused torrents no longer hold up auto shutdown
2) - Fix: Various minor issues with HTTP client implementation (error handling, parsing)
3) - Fix: Incoming HTTP connections could sometimes go dead (event dispatch problem)
4) - Fix: Some internal size calculations weren't 64-bit clean
5) - Fix: Correct WinSock version detection - it should fail now if it detects the wrong version
6) - Fix: Correct acquisition of special operating system paths (such as the windows directory) on Windows 95 family
7) - Fix: Fix shortcut creation for Windows 95 family
8) - Fix: Fix diskspace information on Windows 95 family
9) - Fix: Shutdown on finish option will now shutdown the machine, even if it is locked
10) - Fix: Fix file association if uTorrent is installed after BitTorrent mainline client
11) - Fix: 307 redirection HTTP code is now handled, instead of an error (i.e. jamendo.com)
12) - Fix: Association check for limited users
1) auto shutdown may be held up, it's not a show stopper.
2) possibly affects announce/scrape, but could be just related to searches. Either way, it's listed as minor.
3) Incoming HTTP connections should only happen on the web ui. Presumably a refresh would work.
4) Would cause the calculated size to be wrong. Not sure where this would have an effect.
5) If winsock version is important, it should fail when you try to do something anyway. This can just warn you ahead of time.
6) Who still uses 95?
7) see 6
8) see 6
9) Not sure what would cause a machine to be "locked" but is it a good idea to shut down if it is?
10) Easy enough to fix as a user anyway.
11) Quick testing shows a 307 redirect is not in place on either their scrape or announce URLs. There may be certain torrents affected by this, but there is not really any place for 307 in a tracker. 307 tells the client to switch to POST instead of GET, yet the BT spec shows all passed variables in GET format. Possible affects RSS or searches from there though.
12) Again, it's easy to fix associations as a user. This is more of a UI bug.

Everything fixed in subsequent versions cannot be automatically attributed to 1.6.1. In build 1088, the fix for bandwidth allocation selection may be to repair something broken in build 1065.

I have to ask. How can people say 1.6.1 is so great, when in that change log there is heaps of changes in subsequent 1.7.xx versions, meaning those bugs were present in 1.6.1. Unless i am wrong to assume 1.7 was just a carry on from 1.6, with some BT inc coding.

because of paranoia,they think that after 161 all version of utorrent have some *spy program* in new utorrent that send your ip to MPAA or RIAA lol..:shutup::shutup:

but after so many testing from many and i mean many privates trackers there wasnt found any proof of that..

so that is why some members bitching all the time to be allowed 161 on some trackers,but they should know no matter what cliend they(we all use) u are not safe..

:dabs:

It's not just paranoia about spyware. Witness how every single build in the 1.7.x branch is remotely crashable. Because the crash is caused by an overflow, it may even be exploitable to run code.
This was discovered after 10 months, despite all the testing. How long till other stuff is discovered?

1.7.6 has also not been tested as much as claimed. 1.7.6 was released 8 days ago, so it has at most 8 days of testing behind it.
1.6.1 was released nearly a year ago, so it has a years worth of testing behind it.
Anyway, there are not a lot of sites that actually conduct their own testing. Every single one of the sites that had to post a correction about 1.6.1 followed someone elses testing. There are a few people on a few sites who actually conduct any of their own testing. Would you trust any of the sites who could not even confirm that 1.6.x was not affected to tell you what is safe and what isn't? If you do, I know a nigerian banker who can get you some free money.

There are also a whole range of problems that affect various people when they try to run any 1.7.x version. Problems that do not exist in 1.6.1. It is simply not possible for everyone to run the latest version.

any news about downgrading 1.7.6 to 1.6.1 on SCT ?

It's not just paranoia about spyware. Witness how every single build in the 1.7.x branch is remotely crashable. Because the crash is caused by an overflow, it may even be exploitable to run code.
This was discovered after 10 months, despite all the testing. How long till other stuff is discovered?

1.7.6 has also not been tested as much as claimed. 1.7.6 was released 8 days ago, so it has at most 8 days of testing behind it.
1.6.1 was released nearly a year ago, so it has a years worth of testing behind it.
Anyway, there are not a lot of sites that actually conduct their own testing. Every single one of the sites that had to post a correction about 1.6.1 followed someone elses testing. There are a few people on a few sites who actually conduct any of their own testing. Would you trust any of the sites who could not even confirm that 1.6.x was not affected to tell you what is safe and what isn't? If you do, I know a nigerian banker who can get you some free money.

There are also a whole range of problems that affect various people when they try to run any 1.7.x version. Problems that do not exist in 1.6.1. It is simply not possible for everyone to run the latest version.

Yes uTorrent 1.7.6 continues to do crash dump errors on me and barely connect to trackers now unlike uTorrent 1.6.1.

Have noticed lately my download speed has decreased while the upload has doubled ? Have had trouble this week with my ISP modem too so mabye thats the problem not Utorrent 1.7 upgrade .

It sure makes me curious tho as I seem to have everything set up right from firewall to torrent settings . I'd like to go back and reinstall 1.6 to test after my movies finish d/l ,IPT still allows it .

Have noticed lately my download speed has decreased while the upload has doubled ? Have had trouble this week with my ISP modem too so mabye thats the problem not Utorrent 1.7 upgrade .

It sure makes me curious tho as I seem to have everything set up right from firewall to torrent settings . I'd like to go back and reinstall 1.6 to test after my movies finish d/l ,IPT still allows it .

Your problems sound alot like mines peat. I'm having all types of listening port errors, crash dumps, and downloading problems. My upload has seemed to increase as well when ut 1.7.6 is working.:lol: