The Traders' Den  

  The Traders' Den > Where we go to learn ..... > Technobabble
 

Notices

Technobabble Post your general Need for Help questions here.
Lossy or Lossless?
Moderators

Reply
 
Thread Tools
  #1  
Old 2008-01-18, 10:59 AM
U2Lynne's Avatar
U2Lynne U2Lynne is offline
TTD Staff
474.39 GB/2.01 TB/4.34
 
Join Date: Oct 2004
Location: California
Attention uTorrent and BitTorrent users!

From here: http://torrentfreak.com/bittorrent-c...attack-080117/
Quote:
uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008

Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client, uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.

Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.

So far, the problem appears to affect these clients:

- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)

Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.

The bug in detail (from Luigi’s site):
Quote:
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.

In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).

When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.

If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.

For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.

It can be downloaded here.
edit 2008-01-27: Newest utorrent is 1.7.7: http://download.utorrent.com/1.7.7/utorrent.exe
__________________
Five's Checksums Demystified - everything and anything you want to know about checksums
On a Mac? Get XLD to rip your CDs. Please see this guide - X Lossless Decoder (XLD): How to create flawless CD rips on Mac OS X


Reply With Quote Reply with Nested Quotes
  #2  
Old 2008-01-18, 11:11 AM
paddington's Avatar
paddington paddington is offline
crumpet-stuffer
TTD Staff
87.48 GB/884.33 GB/10.11
 
Join Date: Jan 2005
Location: UK
Re: Attention uTorrent and BitTorrent users!

__________________
"There are some of these recordings where it is just a whirring, and you cannot hear the music. " - Jimmy Page, 2007 / JUL / 26
Reply With Quote Reply with Nested Quotes
  #3  
Old 2008-01-18, 03:34 PM
Salva Veritate Salva Veritate is offline
26.24 GB/99.83 GB/3.81
 
Join Date: Feb 2007
Re: Attention uTorrent and BitTorrent users!

Doesn't utorrent 1.7.x report your download information or something? Or was that some paranoid/exaggerated rumor?
__________________
Rage Against the Machine list:

http://db.etree.org/salva%20veritate

Reply With Quote Reply with Nested Quotes
  #4  
Old 2008-01-19, 11:12 AM
bartmanus bartmanus is offline
21.41 GB/170.32 GB/7.96
 
Join Date: Jan 2008
Re: Attention uTorrent and BitTorrent users!

It is only a paranoid rumor.

Doesn't the RIAA (who sues some P2P users) use clients to vew who connects to tem? That way they get users inetrnet addresses which they can then get warrants for ISPs to link to customers.

All clients are vulnerable to such an 'attack'. But AFAIK RIAA has only sued Kazaa users while they continually try to bring down ed2k portals and torrent hosting sites.
Reply With Quote Reply with Nested Quotes
  #5  
Old 2008-01-19, 03:51 PM
rosc2112's Avatar
rosc2112 rosc2112 is offline
Music of the Spheres
81.55 GB/77.39 GB/0.95
 
Join Date: Mar 2007
Location: Poconos
Re: Attention uTorrent and BitTorrent users!

Crash bugs from buffer overruns are pretty common (and symptomatic of programmers who don't know what bounds checking is for..)
Reply With Quote Reply with Nested Quotes
  #6  
Old 2008-01-20, 10:51 PM
lbeatle's Avatar
lbeatle lbeatle is offline
...y de repente llegaste a mi.
28.13 GB/23.46 GB/0.83
 
Join Date: May 2006
Location: Mexico
Re: Attention uTorrent and BitTorrent users!

My uTorrent client has been upgraded.
__________________
Si ves a un hombre bueno, siguelo...
Si ves a un hombre malo, preguntate que de él tienes tú.


lbeatle.blogspot.com
Reply With Quote Reply with Nested Quotes
  #7  
Old 2008-01-21, 12:52 AM
datdork datdork is offline
632.06 GB/583.90 GB/0.92
 
Join Date: Dec 2004
Re: Attention uTorrent and BitTorrent users!

seems that 1.6 is fine. 1.6.1 build 190 is the most stable and I'm not about to "upgrade" to 1.76 call me paranoid if ya won't but I haven't trusted them since 1.7X



many many dorks have tried/tested the crash exploit on all versions and this is what they came up with.


Quote:
1.6.0 (474) fine (but vulnerable to exploit1)
1.6.1 (488) fine
1.6.1 (489) fine
1.6.1 (490) fine
1.7.0 (3353) bugged
1.7.1 (3360) bugged
1.7.2 (3458) bugged
1.7.3 (4470) bugged
1.7.4 (4482) bugged
1.7.5 (4602) bugged
__________________
"Rock and Roll means well, but it can’t help tellin’ young boys lies."
Mike Cooley
Reply With Quote Reply with Nested Quotes
  #8  
Old 2008-01-21, 02:26 AM
saltman's Avatar
saltman saltman is offline
Shareblue Platinum Member
471.23 GB/591.81 GB/1.26
 
Join Date: Dec 2004
Re: Attention uTorrent and BitTorrent users!

Try Halite

http://sourceforge.net/project/scree...roup_id=179129
http://sourceforge.net/project/showf...roup_id=179129
Reply With Quote Reply with Nested Quotes
  #9  
Old 2008-01-22, 08:15 PM
dannyandamie dannyandamie is offline
391.95 GB/286.43 GB/0.73
 
Join Date: Jun 2006
Re: Attention uTorrent and BitTorrent users!

What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!
Reply With Quote Reply with Nested Quotes
  #10  
Old 2008-01-22, 08:21 PM
rosc2112's Avatar
rosc2112 rosc2112 is offline
Music of the Spheres
81.55 GB/77.39 GB/0.95
 
Join Date: Mar 2007
Location: Poconos
Re: Attention uTorrent and BitTorrent users!

Quote:
Originally Posted by dannyandamie View Post
What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!
Go back to sleep.
Reply With Quote Reply with Nested Quotes
  #11  
Old 2008-01-22, 08:28 PM
dannyandamie dannyandamie is offline
391.95 GB/286.43 GB/0.73
 
Join Date: Jun 2006
Re: Attention uTorrent and BitTorrent users!

Quote:
Originally Posted by rosc2112 View Post
Quote:
Originally Posted by dannyandamie View Post
What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!
Go back to sleep.
Meaning???
Reply With Quote Reply with Nested Quotes
  #12  
Old 2008-01-22, 08:47 PM
dannyandamie dannyandamie is offline
391.95 GB/286.43 GB/0.73
 
Join Date: Jun 2006
Re: Attention uTorrent and BitTorrent users!

Quote:
Originally Posted by rosc2112 View Post
Quote:
Originally Posted by dannyandamie View Post
What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!
Go back to sleep.
I'm not sure that this answered any of my questions..?/?
Reply With Quote Reply with Nested Quotes
  #13  
Old 2008-01-22, 10:39 PM
U2Lynne's Avatar
U2Lynne U2Lynne is offline
TTD Staff
474.39 GB/2.01 TB/4.34
 
Join Date: Oct 2004
Location: California
Re: Attention uTorrent and BitTorrent users!

Quote:
Originally Posted by dannyandamie View Post
Quote:
Originally Posted by rosc2112 View Post
Quote:
Originally Posted by dannyandamie View Post
What is RIAA? WHat is P2P? Do they really get IP addys and sue? What torrent should I use?
What does U2Lynne use? What does Dylan use? You guys are great!
Go back to sleep.
I'm not sure that this answered any of my questions..?/?
I'm on a Mac and use Azureus, so this notice didn't affect me, but I know that many of the users on this site use uTorrent which is why this was posted.
__________________
Five's Checksums Demystified - everything and anything you want to know about checksums
On a Mac? Get XLD to rip your CDs. Please see this guide - X Lossless Decoder (XLD): How to create flawless CD rips on Mac OS X


Reply With Quote Reply with Nested Quotes
  #14  
Old 2008-01-23, 08:53 AM
dementrium's Avatar
dementrium dementrium is offline
433.71 GB/433.00 GB/1.00
 
Join Date: Dec 2005
Re: Attention uTorrent and BitTorrent users!

Ironically, these are very good news to me. Why? Because, now I can connect the dots to what probably happened to me in December.

The symptoms, so far...

The torrents happened to stop with an O.S. error msg. Something like "insufficient resources to complete the requested command".
Also, the other applications where affected too. Windows was unable to even display the some desktop icons. All in all, the system was dragging on its knees.
Reboot. Started (the same) torrents again. After a few minutes, the same thing.

It seemed that the problem wasn't related to RAM or HD resources.

After some checking, I was totally clueless. So, did what I call a PSM (Placebo System Maintenance).

This time the PSM consisted of freeing some HD space, backuping/erasing all torrent activity. So, I started torrenting again from zero, with new torrents. The problem didn't happen again. (Dots connected with the issue mentioned here... I hope ).

I will not upgrade at this moment, just to see if this happen again.

Thank you, people, for this info.
Reply With Quote Reply with Nested Quotes
  #15  
Old 2008-01-23, 09:52 AM
tgunn2760's Avatar
tgunn2760 tgunn2760 is offline
1.12 TB/1.19 TB/1.06
 
Join Date: Sep 2006
Location: Canada, eh?
Re: Attention uTorrent and BitTorrent users!

Quote:
Originally Posted by bartmanus View Post
It is only a paranoid rumor.

Doesn't the RIAA (who sues some P2P users) use clients to vew who connects to tem? That way they get users inetrnet addresses which they can then get warrants for ISPs to link to customers.

All clients are vulnerable to such an 'attack'. But AFAIK RIAA has only sued Kazaa users while they continually try to bring down ed2k portals and torrent hosting sites.

I always have this on, even when downloading legal bootlegs:


http://phoenixlabs.org/pg2/
__________________
Partial DVD list here:
http://db.etree.org/tgunn2760

Text file of over 1500 DVDs:

https://docs.google.com/file/d/0BxX3...Q2M/edit?pli=1

Trading status: Canada and USA only-please VERIFY all discs.

http://db.etree.org/public_wantlist....erid=tgunn2760
Reply With Quote Reply with Nested Quotes
Reply

The Traders' Den > Where we go to learn ..... > Technobabble

Similar Threads
Thread Forum Replies Last Post
Attention Adobe Audition 3 Users (Bug when creating mixdown) - nada2k Technobabble 6 2008-07-11 08:08 PM
attention metalicko.. - neiltracy00 Snail Mail Trading 3 2008-05-09 12:32 PM
uTorrent vs. bittorrent?? - dannyandamie Technobabble 6 2008-01-27 03:48 PM


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forums


All times are GMT -5. The time now is 02:49 PM.


Powered by: vBulletin, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - , TheTradersDen.org - All Rights Reserved - Hosted at QuickPacket