uTorrent “announce” URL Handling Buffer Overflow

[goobimama]

A potentially very dangerous vulnerability has been discovered in the latest version of popular BitTorrent client uTorrent. This could be exploited by attackers to take complete control of an affected system. This issue is due to a buffer overflow error when handling a “torrent” file containing an overly long “announce” URL, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into opening a specially crafted torrent file or visiting a malicious web page.

All version of uTorrent are affected, including latest version 1.6 build 474 and prior. There’s already a working exploit for this floating on the internet. No fixed version has been released, as this is really fresh stuff. Although this exploit could be very dangerous, you need to download the “infected” torrent first and use it with this client. I recommend waiting for a new version of uTorrent (should be available within few hours, max days) and downloading only from trusted websites such as NewTorrents.info where are all torrents checked.

Quoted from www.rlslog.net [http://www.rlslog.net/utorrent-annou...fer-overflow/]

[Sourabh]

There has been no update for utorrent ever since it was taken over by Bit Torrent Inc. So waiting for a new version without some DRM is being very optimistic. If there is no update to patch this, I will shift to FlashGet for torrents too.

[gxsaurav]

Switched to bitcomet here on Vista, utorrent was not givign full speed.

[Arsenal_Gunners]

Why don't you guys switch to BITcomet.I am getting speeds of around 35KBps
on my 256KBps connection in Vista.(MAX 30 on xp)

[navjotjsingh]

µTorrent 1.6.1 Build 488 - Final

Released 13 Feb, 2007.

Changes in Version 1.6.1 (build 488), 2007-02-13:
- Feature: Select upload/download speed for a torrent through the rightclick menu
- Feature: Added encryption box to speed guide
- Change: Don't check as many pieces at the same time.
- Change: Misc WebUI changes.
- Change: Switch to JSON for webinterface
- Fix: Problem with category list in the gui when updated from the webui
- Fix: WebUI not clearing state between requests.
- Fix: Redirect also index.html to guest.html
- Fix: Added On Now shows the time it's added, not loaded.
- Fix: JSON uses " instead of '
- Fix: (a) Upnp fix
- Fix: Show pause icon when checking is paused.
- Fix: Fixed problems with XML parser
- Fix: Don't allow two message boxes to be shown in the RSS window
- Fix: Changed some window titles
- Fix: Fix malformed .torrent exploit
- Fix: Boss key field is now larger

http://download.utorrent.com/1.6.1/utorrent.exe

Size: 173 KB

[Arsenal_Gunners]

^ 8+)=8)
:d

[gxsaurav]

Quote:

Originally Posted by vimal_mehrotra

Why don't you guys switch to BITcomet.I am getting speeds of around 35KBps
on my 256KBps connection in Vista.(MAX 30 on xp)

Bitcomet is good for Vista, it sux on XP though....it nothing fast compared to utorrent in XP

[Arsenal_Gunners]

No,I got 9-10 kbps at max in utorrent in xp also.

[busyanuj]

thnx for informing

[casanova]

uTorrent 1.6.1 Build 489 is out.

[nishant_nms]

was the bug fixed in new release?

[casanova]

Nothing mentioned about that. Probably it wasn't. They released another build. uTorrent 1.6.1 Build 490.
This is the change log.

Quote:

--- 2007-02-13: Version 1.6.1 (build 490)
- Feature: Select upload/download speed for a torrent through the rightclick menu
- Feature: Added encryption box to speed guide

- Change: Don't check as many pieces at the same time.
- Change: Misc WebUI changes.
- Change: Switch to JSON for webinterface

- Fix: Problem with category list in the gui when updated from the webui
- Fix: WebUI not clearing state between requests.
- Fix: Redirect also index.html to guest.html
- Fix: Added On Now shows the time it's added, not loaded.
- Fix: JSON uses " instead of '
- Fix: (a) Upnp fix
- Fix: Show pause icon when checking is paused.
- Fix: Fixed problems with XML parser
- Fix: Don't allow two message boxes to be shown in the RSS window
- Fix: Changed some window titles
- Fix: Fix malformed .torrent exploit
- Fix: Boss key field is now larger
- Fix: PECompact bug causing crashes

They haven't mentioned about the flaw on the site nither in the change log. It should be fixed with the latest build as of now.

[navjotjsingh]

What is happening with utorrent...earlier they stopped updating for more than 6 months and now in 2 days they updated it thrice...488,489 and 490!!

[Arsenal_Gunners]

^^they prepared these versions in 6 months and now releasing them one after the other

I think utorrent is finished once and for all. I left utorrent and started using azerues and iam loving it baby. .

I do not why this people say that it memory. It is hardly taking any memory.