Critical Remote Code Execution Bug Puts Millions of uTorrent Users under Risk

Critical Remote Code Execution Bug Puts Millions of uTorrent Users under Risk, utorrent - JSON-RPC Remote Code Execution / Information Disclosure
A BitTorrent client which was being used by more than 100 millions users have multiple critical security vulnerabilities that includes Remote Code Execution and copying downloads files - report Tarvis Ormandy, Google Security Researcher.

The bug was reported to BitTorrent (Parent of uTorrent) on last December, and firm have issued a patched for the bug on Tuesday. After the patch was released Ormandy noted if a small tweaks made to his exploit then also his exploit works with the default configuration.

uTorrent have already got the notification about the bug after patch and they said uTorrent team is testing fix and users can expect another updates within next 24 hrs. 

The unpatched version of the server contained vulnerabilities that could be exploited through any website by basic requests - so basic that Ormandy called them “so trivial.”
“By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web),” Ormandy wrote. “There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.” 
Read Also
Post a Comment