Critical Remote Code Execution Vulnerabilities in uTorrent

uTorrent users are warned to use the popular uTorrent Web client and uTorrent Classic desktop client as the researchers of Google Project Zero revealed two critical vulnerabilities that could lead to remote code execution. These vulnerabilities may impact uTorrent users by allowing hackers access the download history or inject malware into the system.

Tavis Ormandy, Project Zero researcher, found and reported about easy to exploit vulnerabilities, but the patches were not issued within 90 days. Thereafter, Ormandy discloses these vulnerabilities publicly.

uTorrent Remote Code Execution Vulberabilities

As per the researchers, the discovered vulnerabilities are linked to JavaScript Object Notations (JSON)- Remote Procedure Call (RPC) issues. Attackers can exploit the flaws from any website using XMLHTTPRequest(). If anyone visits the website (controlled by the attacker), the user system will be compromised.

“As the name suggests, uTorrent Web uses a web interface and is controlled by a browser as opposed to the desktop application. By default, the uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests. When you click the uTorrent tray icon, a browser window is opened with the authentication token populated, it looks like this:” the researchers stated.

The developer of uTorrent apps, BitTorrent stated that the vulnerability has been patched in latest beta version (build released on 16 Feb 2018) of uTorrent Windows desktop app. Dave Rees, VP of engineering at BitTorrent said that the relevant patch will be issued to existing users soon.

“This requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy said.

BitTorrent released a statement in which it was accepted that they are aware of the reported vulnerabilities and fixes are ready to release to the public. All the users will start to receive the update automatically in coming days.

Leave a Comment