Google Project Zero researchers are warning of two critical remote code execution vulnerabilities in popular versions of BitTorrent’s web-based uTorrent Web client and its uTorrent Classic desktop client. According to researchers, the flaws allow a hacker to either plant malware on a user’s computer or view the user’s past download activity.
Project Zero security researcher Tavis Ormandy published the research on Wednesday after waiting 90 days from the time it notified uTorrent of its discovery. Project Zero gives vendors a 90-day window to patch a vulnerability before publicly disclosing it.
Ormandy said the vulnerabilities are easy to exploit and are tied to various JSON-RPC issues, or problems with how the web-based apps handle JavaScript Object Notations (JSON) as they relate to the company’s remote procedure call (RPC) servers.
Simply put, those JSON-RPC issues create a vulnerability in the desktop and web-based uTorrent clients, which both use a web interface to display website content. An attacker behind a rogue website, Ormandy said, can exploit this client-side flaw by hiding commands inside web pages that interact with uTorrent’s RPC servers. Those commands range from downloading malware into the targeted PC’s startup folder or gaining access to user’s download activity information.
On Wednesday, the developer of the uTorrent apps, BitTorrent, said the flaw has been fixed in the most recent beta version of the uTorrent Windows desktop app. A patch for the existing clients will be pushed out to users in the coming days, according to Dave Rees, VP of engineering at BitTorrent. Users can also opt to pro-actively download a patched version of uTorrent’s desktop client 3.5.3.44352.
According to a Project Zero proof-of-concept attack against either uTorrent clients, an attacker would have to utilize what’s known as a Domain Name Server (DNS) rebinding attack to exploit the flaws. A DNS rebinding attack is when an adversary abuses DNS to trick a browser into not-enforcing a browser’s Same Origin Policy security, a data protection feature found on modern browsers.
“This requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy wrote.
“The authentication secret is not the only data accessible within the webroot – settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didn’t bother looking any further after finding this,” the researcher added.
On Wednesday BitTorrent released an official statement on the matter:
“On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).”