From here: http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/
uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008

Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client, uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.

Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.

So far, the problem appears to affect these clients:

- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)

Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.

The bug in detail (from Luigi’s site (http://aluigi.altervista.org/adv/ruttorrent-adv.txt)):

By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.

In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).

When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.

If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.

For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.

It can be downloaded here (http://download.utorrent.com/1.7.6/utorrent.exe).

edit 2008-01-27: Newest utorrent is 1.7.7: http://download.utorrent.com/1.7.7/utorrent.exe

:thumbsup

Doesn't utorrent 1.7.x report your download information or something? Or was that some paranoid/exaggerated rumor?

It is only a paranoid rumor.

Doesn't the RIAA (who sues some P2P users) use clients to vew who connects to tem? That way they get users inetrnet addresses which they can then get warrants for ISPs to link to customers.

All clients are vulnerable to such an 'attack'. But AFAIK RIAA has only sued Kazaa users while they continually try to bring down ed2k portals and torrent hosting sites.

Crash bugs from buffer overruns are pretty common (and symptomatic of programmers who don't know what bounds checking is for..)

My uTorrent client has been upgraded.

seems that 1.6 is fine. 1.6.1 build 190 is the most stable and I'm not about to "upgrade" to 1.76 call me paranoid if ya won't but I haven't trusted them since 1.7X



many many dorks have tried/tested the crash exploit on all versions and this is what they came up with.


1.6.0 (474) fine (but vulnerable to exploit1)
1.6.1 (488) fine
1.6.1 (489) fine
1.6.1 (490) fine
1.7.0 (3353) bugged
1.7.1 (3360) bugged
1.7.2 (3458) bugged
1.7.3 (4470) bugged
1.7.4 (4482) bugged
1.7.5 (4602) bugged

Try Halite

http://sourceforge.net/project/screenshots.php?group_id=179129
http://sourceforge.net/project/showfiles.php?group_id=179129

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!

Go back to sleep.

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!

Go back to sleep.

Meaning???

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!

Go back to sleep.

I'm not sure that this answered any of my questions..?/?:hmm:

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!

Go back to sleep.

I'm not sure that this answered any of my questions..?/?:hmm:
I'm on a Mac and use Azureus, so this notice didn't affect me, but I know that many of the users on this site use uTorrent which is why this was posted.

Ironically, these are very good news to me. Why? Because, now I can connect the dots to what probably happened to me in December.

The symptoms, so far...

The torrents happened to stop with an O.S. error msg. Something like "insufficient resources to complete the requested command".
Also, the other applications where affected too. Windows was unable to even display the some desktop icons. All in all, the system was dragging on its knees.
Reboot. Started (the same) torrents again. After a few minutes, the same thing.

It seemed that the problem wasn't related to RAM or HD resources.

After some checking, I was totally clueless. So, did what I call a PSM (Placebo System Maintenance).

This time the PSM consisted of freeing some HD space, backuping/erasing all torrent activity. So, I started torrenting again from zero, with new torrents. The problem didn't happen again. (Dots connected with the issue mentioned here... I hope :) ).

I will not upgrade at this moment, just to see if this happen again. :hmm:

Thank you, people, for this info.

It is only a paranoid rumor.

Doesn't the RIAA (who sues some P2P users) use clients to vew who connects to tem? That way they get users inetrnet addresses which they can then get warrants for ISPs to link to customers.

All clients are vulnerable to such an 'attack'. But AFAIK RIAA has only sued Kazaa users while they continually try to bring down ed2k portals and torrent hosting sites.


I always have this on, even when downloading legal bootlegs:


http://phoenixlabs.org/pg2/

Got that µTorrent upgraded to 1.7.6 but i'm not allowing sending statistic info about my use and private info in config propreties...seems enough fine

ive got bit torrent 6 and an upgrade to the latest version popped up on the screen i declined cos im halfway through a long haul on two downloads thinking my downloads will be lost.....Any suggestions/comments ?? :hmm: :wtf:

You can upgrade utorrent after you are finished downloading. I'm not that familiar with utorrent, but on Azureus when it does an upgrade, it will do all the upgrade stuff it needs and then say "you need to restart for the upgrade to take affect. Do you wish to restart now?" and you can say no and then finish the upgrade after your torrents are done.

Thankyou again U2Lynne. :)

ive got bit torrent 6 and an upgrade to the latest version popped up on the screen i declined cos im halfway through a long haul on two downloads thinking my downloads will be lost.....Any suggestions/comments ?? :hmm: :wtf:

Just download the newish utorrent.exe/stop your torrents/exit utorrent/replace your actual utorrent.exe with the new utorrent.exe/start again utorrent/resume your torrents and stfu.
:angel:

resume your torrents and stfu.

:nono: :lol4: :lol4:

resume your torrents and stfu.

:nono: :lol4: :lol4:
:wtf:


I hope you got it all working bannanna.

STFU = Share The Fantastic mUsic

:angel:
SORRY FOR THE CONFUSION

Well, finally I switched to 1.7.7. The UI is a bit slower than 1.6 (build 474), so I will try it a little more time. The 1.6 was running like a rocket, here.

Just searched on some forums and it seems that the weird behaviour (system hangs) I experienced a month ago (describe on page 1), was due to this exploit. Someone said the vulnerability is more prone to be open when using public trackers. And I remember clearly, when the problem happened, I was dl'ing some books at a well-known bay. :nono: This explains how the crash issue got solved once I finished that torrent.

stfu n00b

Don't mind jameskg. He's just pissed that this vulnerability was revealed so he can't launch anymore uTorrent DOS attacks. :lol:

These links will explain more about RIAA and P2P.

http://en.wikipedia.org/wiki/Peer-to-peer

http://en.wikipedia.org/wiki/RIAA

obviously luigi didnt count on utorrent making good on that dos attack with a newer version that pretty much resolves that and/or he probably dont know about peer guardian either...

How can I improve upload speed on utorrent 1.6? I used to be able to u/l at 40kB/s but I've noticed over the last few days it barely gets above 10kB/s with a bunch of peers connected.

On Options > Preferences > Bittorrent, under "additional BitTorrent Features"
"Enable DHT Network" & Enable DHT for new torrents" are unchecked while
"ask tracker for scrape information" and "Enable Peer Exchange" are checked.
For "Protocol Encryption", "Outgoing: Forced" with "Allow incoming legacy connections" checked.

This is how I've had my settings and haven't changed it since these are the recommended configurations. I'm not firewalled and the ports being used are open.

So I'm basically wondering why uploading is so slow :hmm:

This only affects the mentioned versions, right?

Cause I use build 86-something (v 6.0.3) of BitTorrent, and I want to know if I should be worried.

i cannot download anything now computer says illegal menu
Can someone help[ me???

i cannot download anything now computer says illegal menu
Can someone help[ me???
You are shown to be on several torrents here: http://www.thetradersden.org/forums/member.php?u=211911 I'm not sure why you say you cannot download.

Thank you for the information. I was not aware of this until today. I am using the latest uTorrent 1.8 Beta. I guess this has been resolved?

Does anyone know what's different about BitTorrent v6.0.3 since v6.0??
:hmm:


I use build 86-something (v 6.0.3) of BitTorrent, and I want to know if I should be worried.

I'm sorry to ask this but I'm totally confused:

Why should I worry if I use UTorrent?

What do you mean about being vulnerable?

They can see what you're downloading, [man].

huhh?

huhh?

I've never had this happen in uTorrent, however...the new version of Azureus, "Vuze" has these issues. If they find something that they deem "copyright infringement" (and this has happened with live shows!), they e-mail you and remove the torrent from your client.

EDIT: This thread is about the old DOS issue. Nevermind...the old DOS issue was a loophole in uTorrent that could allow someone to remotely end your uTorrent session.

Does anyone know what's different about BitTorrent v6.0.3 since v6.0??
:hmm:

I'd like to kmow also. Thanks.

Does anyone know what's different about BitTorrent v6.0.3 since v6.0??
:hmm:

I'd like to kmow also. Thanks.
Usually if you go to the application site there will be a Revision History link which outlines every little change between revisions.