The Traders' Den  

  The Traders' Den > Where we go to learn ..... > Technobabble
 

Technobabble Post your general Need for Help questions here.
Lossy or Lossless?
Moderators

Reply
 
Thread Tools
  #1  
Old 2018-02-20, 11:54 PM
cutz cutz is offline
387.39 GB/2.69 TB/7.12
 
Join Date: Sep 2008
EXPLOIT IN UTORRENT?

I got this warning on another torrent site about uTorrent:

Attention uTorrent users: There is an exploit (in all previous versions including uT 2.2.1) with the WebUI. Please disable WebUI on uT until further notice. Details to follow.


Does anyone on here know anything about this? I use 2.2.1 . I'm LOW-tech and have no idea what an exploit is.

Some posted that anyone using this client should get rid of it, because your computer could be attacked.

Like this post:

This is actually a massive security risk; anyone sticking with uTorrent is an idiot. This isn't even the first attack 2.2.1 is vulnerable to, either.
And BitTorrent botched their patch to fix the issue, so even the latest uT beta is still vulnerable. Yikes.

Make the most of these tools -- it's time to ditch uTorrent
As always, create a backup of your session folder before making any changes
Seamless transition from uTorrent to qBittorrent
Seamless transition from uTorrent to Deluge

I'd recommend switching to qBittorrent or Deluge. They are all cross-platform, although unfortunately I don't think either of the transition tools work on macos. Transmission is a good macos client (I wouldn't recommend it be used on Windows) but as far as I know there are no tools available to convert your uTorrent session into something Transmission can use.

I think qBittorrent would be the best choice for most people seeking a uTorrent alternative
Reply With Quote Reply with Nested Quotes
  #2  
Old 2018-02-21, 02:08 AM
dorrcoq's Avatar
dorrcoq dorrcoq is offline
Champion of the Silent
TTD VIP
735.96 GB/8.30 TB/11.55
 
Join Date: Nov 2004
Re: EXPLOIT IN UTORRENT?

Update to the newest version. I've not heard of anyone else having this issue, and there is a large percentage of users here who use uTorrent.
__________________
DON'T MESSAGE ME FOR RE-SEEDS. I DO NOT DO THEM! AND UNLESS THEY WERE RECORDED THAT WAY, THERE WILL BE NO MORE 16 BIT VERSIONS.
Reply With Quote Reply with Nested Quotes
  #3  
Old 2018-02-21, 11:22 AM
lpmaskman's Avatar
lpmaskman lpmaskman is offline
37.36 GB/23.95 GB/0.64
 
Join Date: Oct 2008
Location: Hungary
Re: EXPLOIT IN UTORRENT?

Forget this bloatware. Use Deluge, Transmisson or similar opensource alternatives.
__________________
My list: http://xdespisedkidx.bplaced.net/
Reply With Quote Reply with Nested Quotes
  #4  
Old 2018-02-21, 12:01 PM
Hucklive's Avatar
Hucklive Hucklive is offline
502.29 GB/2.13 TB/4.35
 
Join Date: Jan 2018
Location: Misery
Re: EXPLOIT IN UTORRENT?

more info

https://torrentfreak.com/bittorrent-...bility-180220/

https://bugs.chromium.org/p/project-...detail?id=1524

my 2.2.1 does open port 10000 on 127.0.0.1

i cannot reproduce any of the example calls tho, but maybe i havent tried hard enuf

Any exploit would have to run on the machine that utorrent is running on. Since i run utorrent on a standalone machine with very little use of a browser i suspect i am RELATIVELY secure for now
Reply With Quote Reply with Nested Quotes
  #5  
Old 2018-02-21, 01:06 PM
cutz cutz is offline
387.39 GB/2.69 TB/7.12
 
Join Date: Sep 2008
Re: EXPLOIT IN UTORRENT?

Got this on Twitter.

This guy is a high tech guy with Google.




Tavis OrmandyTavis Ormandy
Tavis Ormandy
Tavis OrmandyVerified account
@taviso

Tweets
Tweets, current page.
3,069
Following
Following
425
Followers
Followers
84.2K
Likes
Likes
2,509
Follow Follow @taviso
Tavis OrmandyVerified account
@taviso
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine.

@taviso
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.

4:20 PM - Feb 20, 2018
84
28 people are talking about this
Reply With Quote Reply with Nested Quotes
  #6  
Old 2018-02-21, 02:30 PM
Homebrew101's Avatar
Homebrew101 Homebrew101 is offline
2.02 TB/1.77 TB/0.87
 
Join Date: Mar 2006
Location: City of Festivals
Re: EXPLOIT IN UTORRENT?

But is he discussing Utorrent or something else referred to as BitTorrent?

Quote:
Originally Posted by cutz View Post
Got this on Twitter.

This guy is a high tech guy with Google.




Tavis OrmandyTavis Ormandy
Tavis Ormandy
Tavis OrmandyVerified account
@taviso

Tweets
Tweets, current page.
3,069
Following
Following
425
Followers
Followers
84.2K
Likes
Likes
2,509
Follow Follow @taviso
Tavis OrmandyVerified account
@taviso
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine.

@taviso
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.

4:20 PM - Feb 20, 2018
84
28 people are talking about this
__________________
Quote:
Originally Posted by Gwarrior View Post
Probably, if you remove Russia from your thoughts, it turns out that you have nothing against Trump.
Reply With Quote Reply with Nested Quotes
  #7  
Old 2018-02-21, 03:59 PM
lintoni's Avatar
lintoni lintoni is offline
boom laka laka laka
12.87 GB/926.83 MB/0.07
 
Join Date: Jan 2015
Location: Plague Island
Re: EXPLOIT IN UTORRENT?

Quote:
Originally Posted by Homebrew101 View Post
But is he discussing Utorrent or something else referred to as BitTorrent?
µTorrent is owned and maintained by BitTorrent Inc
Reply With Quote Reply with Nested Quotes
  #8  
Old 2018-02-21, 04:17 PM
Homebrew101's Avatar
Homebrew101 Homebrew101 is offline
2.02 TB/1.77 TB/0.87
 
Join Date: Mar 2006
Location: City of Festivals
Re: EXPLOIT IN UTORRENT?

Quote:
Originally Posted by lintoni View Post
µTorrent is owned and maintained by BitTorrent Inc
makes sense then, thanks
__________________
Quote:
Originally Posted by Gwarrior View Post
Probably, if you remove Russia from your thoughts, it turns out that you have nothing against Trump.
Reply With Quote Reply with Nested Quotes
  #9  
Old 2018-02-21, 10:42 PM
cutz cutz is offline
387.39 GB/2.69 TB/7.12
 
Join Date: Sep 2008
Re: EXPLOIT IN UTORRENT?

Instructions for closing the RPC vulnerability:
https://ptpimg.me/w8682p.png

Instructions for disabling WebUI:
https://ptpimg.me/dgydyg.png

After completing these steps, close your client and re-open it. Without restarting uTorrent, you will remain vulnerable.

To verify if you are no longer vulnerable, visit this link http://127.0.0.1:10000/ while uTorrent is running.
If you see a white page that says "invalid request", you are still vulnerable! If you get a browser error page, you're no longer vulnerable
Reply With Quote Reply with Nested Quotes
  #10  
Old 2018-02-21, 11:16 PM
paddington's Avatar
paddington paddington is offline
crumpet-stuffer
TTD Staff
87.48 GB/884.33 GB/10.11
 
Join Date: Jan 2005
Location: UK
Re: EXPLOIT IN UTORRENT?

Good info
__________________
"There are some of these recordings where it is just a whirring, and you cannot hear the music. " - Jimmy Page, 2007 / JUL / 26
Reply With Quote Reply with Nested Quotes
  #11  
Old 2018-02-22, 06:57 AM
JackDog's Avatar
JackDog JackDog is offline
World-Class Slack-Ass
713.86 GB/0.98 TB/1.41
 
Join Date: Aug 2005
Location: Kansas
Re: EXPLOIT IN UTORRENT?

Quote:
Originally Posted by cutz View Post
Instructions for disabling WebUI:
https://ptpimg.me/dgydyg.png
Great info, and thank you for the help! I'm using the current version (3.5.1) and to get to WebUI you need to click on the plus sign next to Advanced for it to show up.
Reply With Quote Reply with Nested Quotes
  #12  
Old 2018-02-23, 11:32 AM
cutz cutz is offline
387.39 GB/2.69 TB/7.12
 
Join Date: Sep 2008
Re: EXPLOIT IN UTORRENT?

Well, i think , from what i'm seeing/reading on another Forum torrent website, those who are using uTorrent(ALL version) should dump it for another Client.








According to taviso (the researcher who discovered the vulnerability), the net.discoverable trick does not prevent the vulnerability: [source) : https://bugs.chromium.org/p/project-...il?id=1524#c13

Instructions for closing port 10000:

https://ptpimg.me/w8682p.png

Instructions for disabling WebUI:
https://ptpimg.me/dgydyg.png

After completing these steps, close your client and re-open it.

According to taviso (the researcher who discovered the vulnerability), the net.discoverable trick does not prevent the vulnerability: [source] : https://bugs.chromium.org/p/project-...il?id=1524#c13
Reply With Quote Reply with Nested Quotes
Reply

The Traders' Den > Where we go to learn ..... > Technobabble

Similar Threads
Thread Forum Replies Last Post
DHT in utorrent - barley masticus Technobabble 3 2009-12-13 08:42 PM
utorrent 1.82 - drkhollow Technobabble 14 2009-03-24 06:57 AM
uTorrent 1.3 & DHT ? - halfstep Technobabble 11 2005-12-28 09:47 PM


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forums


All times are GMT -5. The time now is 09:18 AM.


Powered by: vBulletin, Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Copyright ©2004 - , TheTradersDen.org - All Rights Reserved - Hosted at QuickPacket