lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080116194728.110eaa84.aluigi@autistici.org>
Date: Wed, 16 Jan 2008 19:47:28 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Peers static overflow in BitTorrent 6.0 and
	uTorrent 1.7.5


#######################################################################

                             Luigi Auriemma

Applications: BitTorrent and uTorrent
              http://www.bittorrent.com
              http://www.utorrent.com
Versions:     BitTorrent <= 6.0 (build 5535)
              uTorrent <= 1.7.5 (build 4602)
              uTorrent <= 1.8-alpha-7834
Platforms:    Windows confirmed
              Mac and Linux (both available only on BitTorrent) have
              not been tested
Bug:          crash caused by unicode static buffer-overflow
Exploitation: remote
Date:         16 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BitTorrent and uTorrent are the most used clients for the bittorrent
protocol and are both built over the same code base derived by
uTorrent.


#######################################################################

======
2) Bug
======


By default both the clients have the "Detailed Info" window active with
the "General" section visible in it where are reported various
informations about the status of the torrent and the trackers in use.

In this same window near "General" there is also the "Peers" section
which is very useful since it showes many informations about the other
connected clients like the percentage of availability of the shared
torrent, their IP address, country, speed and amount of downloaded and
uploaded data and moreover the version of their client (like
"BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4"
and so on).

When this window is visualized by the user the unicode strings with the
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the
wcscpy function.

If this string is too long a crash will occur immediately or in some
cases (like on BitTorrent) could happen later or when the user watches
the status of another torrent or leaves the "Peers" window.
Code execution is not possible.

For exploiting the problem is enough that an external attacker connects
to the random port opened on the client and sends the long client
version and the SHA1 hash of the torrent currently in use and watched
on the target.
Note that all these parameters (client IP, port and torrent's hash) are
publicly available on the tracker.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ruttorrent.zip


#######################################################################

======
4) Fix
======


uTorrent 1.7.6 (build 7859) released the same day I reported the
vulnerability, great job!

Actually there are no info about when the new version or build of
BitTorrent will be released.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ