A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users’ past downloads.
The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know.
Attacks rely on luring victims on malicious websites
Ormandy says that both uTorrent clients are exposing an RPC server —on port 10000 (uTorrent Classic) and 19575 (uTorrent Web).
The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page.
Furthermore, the uTorrent clients are also vulnerable to DNS rebinding —a vulnerability that allows the attacker to legitimize his requests to the RPC server.
uTorrent Web impacted the most
The most impacted by these flaws is uTorrent Web, where Ormandy says that an attacker can:
– obtain the RPC server’s “authentication secret” to “gain complete control of the [RPC] service,” and inherently over the uTorrent Web client.
– download malware on the user’s computer.
– change the default downloads folder location (for example to the /Startup folder so anything the attacker downloads is automatically executed at the next boot-up).
Ormandy also believes he could retrieve other data from the uTorrent Web client, but since he obtained a full compromise of the client from the get-go, he did not investigate further.
The uTorrent Classic client is not as exposed, and Ormandy was only able to get a list of past downloads and optionally retrieve previously downloaded files from the user’s computer —if they were still available on disk.
Ormandy has published two demo pages, for uTorrent Web and uTorrent Classic, as a proof-of-concept of his findings.
Some patches are available
BitTorrent, Inc., the company behind uTorrent, has released version 3.5.3 Beta for the uTorrent Classic client to address the issues, which is expected to reach the stable branch in the coming days. uTorrent Web has already been updated, a BitTorrent spokesperson told Bleeping Computer. The patched version is v0.12.0.502.
This is not the first time that Ormandy has found bugs in BitTorrent, Inc. applications. He also found a similar RPC server and DNS rebinding flaw in the Transmission client as well.
Article updated with uTorrent client version numbers that include fixes for the reported flaws.