A BitTorrent client with more than 100 million users suffered numerous critical vulnerabilities including remote code execution and copying downloaded files, according to new information from Google’s Project Zero. Users were left exposed for several hours on Tuesday when the bug was public and a new security patch didn’t quite work. A new and effective patch was delivered Tuesday night.
Google security researcher Tavis Ormandy informed BitTorrent Inc. of the issues with the uTorrent client in December 2017.
A patch was made public early Tuesday but Ormandy says that, after a small tweak, his exploits continued to work in the default configuration.
“This issue is still exploitable,” Ormandy explained. “The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway. I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch.”
On late Tuesday night, BitTorrent Inc.’s Vice President of Engineering David Reese said the company released uTorrent Web version 0.12.0.502 that ultimately fixed the issue. All users are urged to update now.
Here is a basket of uTorrent DNS rebinding vulnerabilities that are now fixed, from remote code execution to querying and copying downloaded files, and more. https://t.co/JEvhq1IHGJ
— Tavis Ormandy (@taviso) February 20, 2018
BitTorrent’s software, including uTorrent, allows users to share and access files on the open internet. By default, uTorrent — an adware version of the sharing protocol — is configured to launch on startup with Windows so it the vulnerable application is by design always running. The uTorrent software essentially creates a server on a user’s machine that uses BitTorrent’s protocol to allow file-sharing.
The unpatched version of the server contained vulnerabilities that could be exploited through any website by basic requests — so basic that Ormandy called them “so trivial.”
“By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web),” Ormandy wrote. “There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.”
A website could steal a target authentication secret in order to gain complete control of a victim’s uTorrent service as well as gain access to logs, settings and a variety of other data.
Update: Ormandy’s new comments about the exploits continuing to work despite the patch have been added. David Rees’s news about the latest patch have been added as well.