Flaw In uTorrent Lets Hackers Control Your PC Remotely

Status
Not open for further replies.

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
uTorrent, the most popular torrent download software has a bug that lets hackers control your PC remotely. TheHackerNews is reporting that the flaw was found by a Google Project Zero researcher in both uTorrent desktop, and the newly launched uTorrent Web. Both versions of uTorrent start a locally hosted HTTP RPC server which allows users to access it's interface over any web browser, the issue is that remote attackers can take control of the software with very little interaction.

You may want to switch programs if you are a uTorrent user, personally I switched to qBittorrent years ago after uTorrent had a massive memory leak on my system when downloading several Linux isos.

"This issue is still exploitable," Ormandy said. "The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway. I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch."
 
uTorrent lost me when they started including adware in their soft. I've been using qBittorrent to download all my 100% legal bittorrent content, and that works perfectly and ad-free.

I never updated passed uTorrent 1.61, the switch to Won 10 made me switch to 2.2.0, still ad free but had a massive memory leak, went to qBittorrent nearly 3 years ago now with no problems at all.
 
Looks like I need a new client.

Any recommendations for something with the most similar UI to uTorrent so I don't have to fumble around much?
 
Looks like I need a new client.

Any recommendations for something with the most similar UI to uTorrent so I don't have to fumble around much?
Deluge for a more similar look, but I prefer Tixati as it just does everything better.
 
Looks like I need a new client.

Any recommendations for something with the most similar UI to uTorrent so I don't have to fumble around much?
If you're using a good version of ut (2.2.1 or lower), just block port 10000 on your router, and make sure you've disabled the webui in prefs.
 
Deluge is what I use now for my linux needs.

It's basically uTorrent before they sold out.
 
Personally I just use rtorrent in screen on the command line of my NAS server. No need for a GUI at all, and can shut my desktop down without interrupting my downloads/seeds :p

rtorrent.png


(not my screenshot)
 
If you like being able to control a torrent client remotely, transmission on Linux (with transmission-remote on Android) are a good option. Tie it to the loopback address and use SSH to access.
 
"This issue is still exploitable," Ormandy said. "The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway."

What? There's a patch, but it's still exploitable? That doesn't sound like a patch to me.
 
This need not be a problem if utorrent is run inside a Sandbox which limits its access to the system.
 
hard to believe people beside script kiddies still use it.
Tixati for me.
Tixati contains NO SPYWARE, NO ADS, and NO GIMMICKS.
 
uTorrent lost me when they started including adware in their soft. I've been using qBittorrent to download all my 100% legal bittorrent content, and that works perfectly and ad-free.
The irony is that utorrent was built as a no frills "this is all you need to download stuff via torrents" platform, then someone bought it out I guess? and all went to shit.
 
This need not be a problem if utorrent is run inside a Sandbox which limits its access to the system.

I download all my Linux iso's in a separate isolated VM.
Even if someone where to get access, there isn't much damage they could do.
If they encrypted the drive, I'd just need to start up a new copy of the VM, install the torrent client and restart the downloads.
 
I download all my Linux iso's in a separate isolated VM.
Even if someone where to get access, there isn't much damage they could do.
If they encrypted the drive, I'd just need to start up a new copy of the VM, install the torrent client and restart the downloads.

You know you can detect if you are in a VM and then use exploits to attack the kernel right? (Attacking the Backdoor interface will also work)
 
Can this be exploited even if the software is not open? (2.2.1)
 
I'll give Deluge a shot. I've still been using utorrent out of habit mostly and had been meaning to get rid of it, the ads were annoying. Not that I do much and I don't leave it running anyway.
 
I download all my Linux iso's in a separate isolated VM.
Even if someone where to get access, there isn't much damage they could do.
If they encrypted the drive, I'd just need to start up a new copy of the VM, install the torrent client and restart the downloads.

Meltdown and Spectre say "Hi."

I'm really surprised uTorrent is still around. Though given it's popularity years ago, I do wonder if this backdoor was put there intentionally by the powers that be after they were bought out or whatever. </tinfoil hat>
 
I can only imagine the notice sent to them was probably answered by the devs with a "Fuck you, you're using it wrong, it's designed like that." type of reply.

That's what one of their guys on their help forums seemingly says when someone posts a bug. I think he goes by DarkKnight or whatever, but I've never seen such outright rudeness towards people trying to help.

Literally every issue with uT that I've googled that landed me on their help forums had this guy in there just being rude, condescending, and refusing to admit there's a bug. It wasn't a one off. Other users would try and help, or would confirm the same issue, and the official guy was just being a dick.

So good riddance.
 
Can this be exploited even if the software is not open? (2.2.1)
As long as the ports are blocked then not from outside networks (I couldn't get any of the examples working on my copy of 2.2.1).
 
Does this affect uTorrent if the webUI is off? FWIW, I run 2.2.1. Obviously I can switch to a newer version, but I like this version.
 
qbittorrent is fine for me, wish it would add in-app updating though, having it notify me to go download the update and then not even close itself (required for the update) is annoying..
 
this isnt the only security flaw in new versions of utorrent

Though given it's popularity years ago, I do wonder if this backdoor was put there intentionally by the powers that be after they were bought out or whatever. </tinfoil hat>

not so tinfoil. utorrent was taken over years ago very publicly. thats why i stopped updating...
 
Does this affect uTorrent if the webUI is off? FWIW, I run 2.2.1. Obviously I can switch to a newer version, but I like this version.
There is a (likely JSON RPC server) service running on port tcp:10000, but I can't get any of the examples to work with it (I blocked it at the router just to be sure).
It looks like ut is listening on my webui port even with the service off, so I'm blocking it as well (and for some reason udp:6671).

Edit: a link to the actual report
https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
 
Last edited:
There is a (likely JSON RPC server) service running on port tcp:10000, but I can't get any of the examples to work with it (I blocked it at the router just to be sure).
It looks like ut is listening on my webui port even with the service off, so I'm blocking it as well (and for some reason udp:6671).

Edit: a link to the actual report
https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
I already blocked 10000 and and 19575 in my router (just in case). I guess I'll add 6671 too, though once I shut down this old WHS server and move to a Synology Nas, I'll probably dump uTorrent, so probably won't need this for more than a week or 2.
 
Yet another reason to leave uTorrent - and EVERY proprietary torrent client - behind. Yes, I'm aware that there can be bugs and vulnerabilities in anything, but on average open source software has a better track record and better methodology for things actually being veritably fixed. This is doubly important when you know that there are certain vested interests trying to exploit vulnerabilities to "go after" users of this sort of software (ie sharing software like BitTorrent, anonymity/privacy focused software like TOR/i2p, encryption etc..).

Some alternatives to uTorrent and other proprietary Torrent clients include....

Deluge - http://deluge-torrent.org/
qBitTorrent - https://www.qbittorrent.org/
Transmission - https://transmissionbt.com/

All of these are updated with reasonable swiftness, offer full compliance with latest generation of mainstream BitTorrent features (ie encryption, uTP , magnet links etc) and are pretty easy to use on all platforms. There are also a number of other open source clients out there, some of which try to add some addition features atop the BitTorrent base (ie Tribler is a unique project adding a decentralized file search besides mainstream BitTorrent usage etc)

No matter if you use torrents for nothing but public domain works / Linux ISOs or if you have wider downloading interests, its best for safety and utility to use a modern and capable open source client
 
Do any other client support automatic file transfers to folders based on label? I have a setup I've been using for a while that requires labels for moving files to different shares/folder automatically. Using utorrent 3.3.1 here.
 
Well that's just fantastic. You know what would be nice? If we could be notified when some shitty software starts an http server, or listening on any port, or a port that doesn't make sense, or sending traffic that doesn't make sense?

Obviously that relies on trusting the OS (or whatever layer this security lies). It's complete bullshit that we don't have security below the OS layer given that it's been like 10 years since Intel declared security as one the "three pilars of computing". They clearly don't care. They have a responsibility to proactively provide security at the hardware level and have failed miserably.
 
You know you can detect if you are in a VM and then use exploits to attack the kernel right? (Attacking the Backdoor interface will also work)

Except I also have the VM locked down, and a separate firewall protecting the VM from the internet, so it's unlikely they would get very far.
Too many easier targets on the internet for they to waste too much time on mine, and very little payback if they did manage to infect it. :p
 
Status
Not open for further replies.
Back
Top