Thursday, January 17, 2008

[NT] BitTorrent and UTorrent Peers Static Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

BitTorrent and UTorrent Peers Static Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.bittorrent.com> BitTorrent and <http://www.utorrent.com>
uTorrent are "the most used clients for the bittorrent protocol and are
both built over the same code base derived by uTorrent". A static buffer
overflow is present in both BitTorrent and uTorrent clients, this overflow
would allow a remote attacker to crash the clients.

DETAILS

Vulnerable Systems:
* BitTorrent version 6.0 build 5535 and prior
* uTorrent version 1.7.5 build 4602 and prior
* uTorrent version 1.8-alpha-7834 and prior

Immune Systems:
* uTorrent version 1.7.6 build 7859

By default both the clients have the "Detailed Info" window active with
the "General" section visible in it where are reported various
informations about the status of the torrent and the trackers in use.

In this same window near "General" there is also the "Peers" section which
is very useful since it showes many informations about the other connected
clients like the percentage of availability of the shared torrent, their
IP address, country, speed and amount of downloaded and uploaded data and
moreover the version of their client (like "BitTorrent 6.0", "Azureus
3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4" and so on).

When this window is visualized by the user the unicode strings with the
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the wcscpy
function.

If this string is too long a crash will occur immediately or in some cases
(like on BitTorrent) could happen later or when the user watches the
status of another torrent or leaves the "Peers" window. Code execution is
not possible.

For exploiting the problem is enough that an external attacker connects to
the random port opened on the client and sends the long client version and
the SHA1 hash of the torrent currently in use and watched on the target.
Note that all these parameters (client IP, port and torrent's hash) are
publicly available on the tracker.

Exploit:
/*

by Luigi Auriemma - http://aluigi.org/poc/ruttorrent.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#include <ctype.h>
#include <sys/stat.h>
#include <openssl/sha.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1

No comments:

Post a Comment