Flaw In uTorrent Lets Hackers Control Your PC Remotely

[M76]

So this exploit only works if the remote access feature in utorrent is activated and said ports are opened in the firewall, right? The article seems a bit vague on those details.

 

[Twinsen]

So this exploit only works if the remote access feature in utorrent is activated and said ports are opened in the firewall, right? The article seems a bit vague on those details.

Lol, makes sense that it would be a "vulnerability" if you have the options available.

 

[RanceJustice]

Do any other client support automatic file transfers to folders based on label? I have a setup I've been using for a while that requires labels for moving files to different shares/folder automatically. Using utorrent 3.3.1 here.

I am under the impression that all 3 of those I linked can do what you ask either from the start or as optional features activated in each client.

 

[likeman]

i not really read it but seems it runs on local host even if your not using it (just going to a website can tell utorrent to download a file say a exe file to startup folder silently so when pc is rebooted you have access to that pc (RAT)

just use qbittorrent

 

[Deleted member 93354]

Except I also have the VM locked down, and a separate firewall protecting the VM from the internet, so it's unlikely they would get very far.
Too many easier targets on the internet for they to waste too much time on mine, and very little payback if they did manage to infect it.

If you're using a torrent downloader on it, I would say your firewall has an attack vector. But you are right. I'm just saying "Most devices connected to the net are exploitable one way or another"

 

[Elios]

lol what uTorrent gets for going closed

does any one even still use it?

 

[nutzo]

If you're using a torrent downloader on it, I would say your firewall has an attack vector. But you are right. I'm just saying "Most devices connected to the net are exploitable one way or another"

The firewall is completely separate from everything else.
Basic internet security 101. The firewall is your 1st line of defense, so as you want to avoid anything that would to allow someone to compromise it.

 

[Sikkyu]

Yeah, stopped using utorrent a few years ago, switched over to Deluge.

 

[Domingo]

Even though there are plenty of alternatives, I still think uTorrent's UI is/was the cleanest of the bunch. Minus the ads of course
Even though I swapped over the Qb a little while ago, there's just something cheap and unpolished feeling about it and Deluge.

 

[nilepez]

lol what uTorrent gets for going closed

does any one even still use it?

You tell me? Is the most popular torrent client used by anyone?

 

[ChoGGi]

lol what uTorrent gets for going closed

Going closed? when was ut ever open source?

 

[Deleted member 184142]

This reminds me, I have been looking for other options to replace uTorrent. A while back when FF updated, the free addon someone made for remote adding torrents to uTorrent broke, it was great as all I had to do was install the add on and setup the IP etc etc and could be on any computer and start a download back on my server at home. Any of the other options offer that sort of feature? If someone knows off hand that could save me hours of searching for the best options.

 

[ChoGGi]

Well the webui part of ut is where this exploit happens

qbittorrent has a webui, to control it you can use:
https://github.com/tympanix/Electorrent
https://addons.mozilla.org/en-US/firefox/addon/bittorrent-webui-120685/

 

[S-F]

Well the webui part of ut is where this exploit happens

qbittorrent has a webui, to control it you can use:
https://github.com/tympanix/Electorrent
https://addons.mozilla.org/en-US/firefox/addon/bittorrent-webui-120685/

The second one doesn't work with newer versions of FF, as BlueFireIce said. It's one of the main reasons I'm still on an older version of FireFox. That said, since this topic came up I have been looking at Deluge. It would appear that you can run a thin client on a remote computer and it will point everything back to your server. It's hard to say though as the documentation isn't very clear.

 

[ChoGGi]

ah geez, didn't even notice that part of his post. I haven't seen much point in using quantum until the APIs for extensions are a bit more well rounded...

 

[nilepez]

The second one doesn't work with newer versions of FF, as BlueFireIce said. It's one of the main reasons I'm still on an older version of FireFox. That said, since this topic came up I have been looking at Deluge. It would appear that you can run a thin client on a remote computer and it will point everything back to your server. It's hard to say though as the documentation isn't very clear.

Might try Waterfox. It uses the old addons.

 

[mashie]

I use Transmission, works a treat.

 

[sirmonkey1985]

I never updated passed uTorrent 1.61, the switch to Won 10 made me switch to 2.2.0, still ad free but had a massive memory leak, went to qBittorrent nearly 3 years ago now with no problems at all.

utorrent 2.2.1 was and still is the last good version of utorrent once you set everything back to the classic layout.. after that version they switched the adware bullshit due to bitorrent inc. taking over complete control of the software development(there's a bit more behind closed doors for why this happened but it's a long winded story).. as far as the memory leak it all depends on your settings and file sizes within the torrent.. if you're still using windows to control your write caches the memory leak was insanely bad since windows straight up refuses to write incomplete data to disk which doesn't work with how the torrent protocol is designed especially with large single files over ~4GB. easiest config, check override automatic cache and set to 500mb, uncheck write finished pieces immediately, uncheck windows write cache, done..

 

[Nenu]

You can kill the adverts in utorrent by setting bt,apps_store and bt.apps_channel to http://
Then set the remaining bt.apps_ * to false, disable Actvie X for good measure, disable content.offer and remove the URL as well.
I didnt have adverts when I used it after making those changes in the advanced section of preferences.

 

[w1retap]

Workaround:
Turn off WebUI
net.discoverable -- set to false in the advanced settings dialog.

Still using uTorrent 2.0.4 build 22967, since it offers the best speed while seeding 5000+ torrents, with no memory leak issues or disk thrashing issues.

 

[nilepez]

utorrent 2.2.1 was and still is the last good version of utorrent once you set everything back to the classic layout.. after that version they switched the adware bullshit due to bitorrent inc. taking over complete control of the software development(there's a bit more behind closed doors for why this happened but it's a long winded story).. as far as the memory leak it all depends on your settings and file sizes within the torrent.. if you're still using windows to control your write caches the memory leak was insanely bad since windows straight up refuses to write incomplete data to disk which doesn't work with how the torrent protocol is designed especially with large single files over ~4GB. easiest config, check override automatic cache and set to 500mb, uncheck write finished pieces immediately, uncheck windows write cache, done..

To be clear, are you saying uncheck Disable Windows Caching of Disk Writes?

That said, I've been running the program since I rebooted for patching on 2/16 and uTorrent is using 63meg private working set and 70mb commit size, which doesn't seem bad. My uTorrent cache is set to 1800mb...don't remember setting that.