#######################################################################

                             Luigi Auriemma

Applications: BitTorrent and uTorrent
              http://www.bittorrent.com
              http://www.utorrent.com
Versions:     BitTorrent <= 6.0 (build 5535)
              uTorrent <= 1.7.5 (build 4602)
              uTorrent <= 1.8-alpha-7834
              uTorrent 1.6.x NOT vulnerable
Platforms:    Windows confirmed
              Mac and Linux (both available only on BitTorrent) have
              not been tested
Bug:          unicode static buffer-overflow
Exploitation: remote
Date:         16 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BitTorrent and uTorrent are the most used clients for the bittorrent
protocol and are both built over the same code base derived by
uTorrent.


#######################################################################

======
2) Bug
======


By default both the clients have the "Detailed Info" window active with
the "General" section visible in it where are reported various
informations about the status of the torrent and the trackers in use.

In this same window near "General" there is also the "Peers" section
which is very useful since it showes many informations about the other
connected clients like the percentage of availability of the shared
torrent, their IP address, country, speed and amount of downloaded and
uploaded data and moreover the version of their client (like
"BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4"
and so on).

When this window is visualized by the user the unicode strings with the
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the
wcscpy function.

If this string is too long a crash will occur immediately or in some
cases (like on BitTorrent) could happen later or when the user watches
the status of another torrent or leaves the "Peers" window.

UPDATE 25 Jan 2008
Secunia has performed additional tests on the vulnerability and has
found that code execution is possible.

For exploiting the problem is enough that an external attacker connects
to the random port opened on the client and sends the long client
version and the SHA1 hash of the torrent currently in use and watched
on the target.
Note that all these parameters (client IP, port and torrent's hash) are
publicly available on the tracker.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ruttorrent.zip


#######################################################################

======
4) Fix
======


uTorrent 1.7.6 (build 7859) released the same day I reported the
vulnerability, great job!

UPDATE 25 Jan 2008
BitTorrent 6.0.1 released


#######################################################################