Google researcher Tavis Ormandy discovered several critical vulnerabilities in the classic and web-based versions of BitTorrent’s uTorrent application. Patches have been released, but the expert says not all flaws have been fixed properly.
Ormandy found that the uTorrent Classic and the uTorrent Web apps create an HTTP RPC server on ports 10000 and 19575, respectively. These RPC servers and some vulnerabilities allow remote attackers to take control of the apps with little user interaction.
In the case of uTorrent Web, which is accessed by users via their web browser, the application relies on a random token that is included in every request for authentication. The problem, according to Ormandy, is that the token can be easily obtained by an attacker from the web root folder and abused to take control of the service.
A malicious actor can exploit the flaw to change the torrent download folder and download a file to any writable location. For example, a hacker could change the download directory to the Startup folder in Windows and download an executable file, which would run on every startup.
An exploit can be executed remotely using a DNS rebinding attack, which allows JavaScript code hosted on a website to create a bridge to the local network, effectively bypassing the same-origin policy (SOP).
Ormandy noted that the web root folder also contains other data – not just the authentication token – including settings, logs and crash dump files.
In the case of uTorrent Classic, the Google researcher discovered a vulnerability that allows a malicious website to obtain the targeted user’s download history.
The expert also noticed that the application disables the ASLR and GS exploit mitigations, and that the guest account does not disable some features – the app’s documentation says many features are disabled for security reasons.
Finally, Ormandy found a design flaw related to the use of the Mersenne Twister pseudorandom number generator (PRNG) for creating authentication tokens and cookies, session identifiers, and pairing keys.
The vulnerabilities were reported to BitTorrent on November 27 and they were made public on Tuesday. Ormandy released technical details and proof-of-concept (PoC) code for the more serious of the vulnerabilities he discovered.
The latest beta version of uTorrent Classic (3.5.3 build 44352) patches the flaws, but Ormandy noted that it still disables the ASLR mitigation. BitTorrent says the fixes will be delivered automatically to users over the next days.
As for uTorrent Web, BitTorrent has attempted to implement a patch, but the Google Project Zero researcher says he has managed to bypass it.
BitTorrent VP of Engineering Dave Rees told SecurityWeek that the company only learned of the uTorrent Web vulnerability this week. Nevertheless, the company believes that all vulnerabilities discovered by Ormandy it the two products have been addressed.
uTorrent is not the only torrent application found to be vulnerable to DNS rebinding attacks. In January, Ormandy revealed that he had managed to execute arbitrary code via such an attack against the Transmission client.
*Updated with information from BitTorrent
Related: Google Researcher Finds Critical Flaw in Keeper Password Manager