Google Project Zero researchers are warning of two critical remote code execution vulnerabilities in popular versions of BitTorrentâs web-based uTorrent Web client and its uTorrent Classic desktop client. According to researchers, the flaws allow a hacker to either plant malware on a userâs computer or view the userâs past download activity.
Project Zero security researcher Tavis Ormandy [published the research]() on Wednesday after waiting 90 days from the time it notified uTorrent of its discovery. Project Zero gives vendors a 90-day window to patch a vulnerability before publicly disclosing it.
Ormandy said the vulnerabilities are easy to exploit and are tied to various JSON-RPC issues, or problems with how the web-based apps handle JavaScript Object Notations (JSON) as they relate to the companyâs remote procedure call (RPC) servers.
Simply put, those JSON-RPC issues create a vulnerability in the desktop and web-based uTorrent clients, which both use a web interface to display website content. An attacker behind a rogue website, Ormandy said, can exploit this client-side flaw by hiding commands inside web pages that interact with uTorrentâs RPC servers. Those commands range from downloading malware into the targeted PCâs startup folder or gaining access to userâs download activity information.
On Wednesday, the developer of the uTorrent apps, BitTorrent, said the flaw has been fixed in the most recent beta version of the uTorrent Windows desktop app. A patch for the existing clients will be pushed out to users in the coming days, according to Dave Rees, VP of engineering at BitTorrent. Users can also opt to pro-actively download a patched version of uTorrentâs desktop [client 3.5.3.44352]().
According to a Project Zero proof-of-concept attack against either uTorrent clients, an attacker would have to utilize whatâs known as a Domain Name Server (DNS) rebinding attack to exploit the flaws. A DNS rebinding attack is when an adversary abuses DNS to trick a browser into not-enforcing a browserâs Same Origin Policy security, a data protection feature found on modern browsers.
âThis requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,â Ormandy wrote.
âThe authentication secret is not the only data accessible within the webroot â settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didnât bother looking any further after finding this,â the researcher added.
On Wednesday BitTorrent released an official statement on the matter:
> âOn December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the userâs consent (e.g. adding a torrent).âRead More