####################################################################### Luigi Auriemma Applications: BitTorrent and uTorrent http://www.bittorrent.com http://www.utorrent.com Versions: BitTorrent <= 6.0.1 (build 7859) uTorrent <= 1.7.6 (build 7859) uTorrent <= 1.8-alpha-7928 Platforms: Windows confirmed Mac and Linux (both available only on BitTorrent) have not been tested Bug: unspecified crash in the webui Exploitation: remote Date: 27 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== BitTorrent and uTorrent are the most used clients for the bittorrent protocol and are both built over the same code base derived by uTorrent. ####################################################################### ====== 2) Bug ====== Both uTorrent and BitTorrent have the possibility to be administered remotely through a very nice web interface called webui. Exists a problem with the handling of the Range header received in the HTTP request of the browser which can be exploited for crashing the remote uTorrent/BitTorrent client if the webui interface is in use. For doing this is enough that an attacker sends some consecutives HTTP requests using a Range header which increases each time. After about 40 connections the client crashes due to the access to the end of the available memory. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ruttorrent2.zip ####################################################################### ====== 4) Fix ====== uTorrent 1.7.7 build 8179 #######################################################################