Become a Site Supporter and Never see Ads again!

Author Topic: uTorrent Vulnerability  (Read 19301 times)

0 Members and 1 Guest are viewing this topic.

Offline rigpimp

  • Trade Count: (14)
  • Needs to get out more...
  • *****
  • Posts: 3176
  • Gender: Male
  • Jarts don't kill people!
uTorrent Vulnerability
« on: February 21, 2018, 06:07:46 PM »
Bummer for those of us that stopped using Qbittorrent for randomly pinging ports.  This sounds like it has the potential to be much more malicious.

https://torrentfreak.com/bittorrent-client-utorrent-suffers-security-vulnerability-180220/
Mics: Schoeps MK 5 MP, Schoeps MK 8 MP, Schoeps MK 41 MP, KCY 250/5 > PFA
Pre/A>D/P48: Sonosax SX/M2, Sonosax SX/M2-LS, E.A.A. PSP-2, Baby Nbox, Neumann BS48i-2 (for sale)
Recorders: Sound Devices Mixpre-6ii, Sony PCM-A10
Playback: Jolida 1501 Hybrid > McIntosh MX 130 > Von Schweikert VR-4 JR, or Little Dot MK III > Sennheiser HD700
http://archive.org/bookmarks/kskreider
https://www.concertarchives.org/kskreider
https://archive.org/details/thespps

Offline heathen

  • Trade Count: (23)
  • Needs to get out more...
  • *****
  • Posts: 3528
Re: uTorrent Vulnerability
« Reply #1 on: February 21, 2018, 06:17:32 PM »
Quote
Update: The vulnerability affects all unpatched uTorrent versions, not just those that have the Web UI enabled.

Bummer for people like me who are using an old version of uTorrent from before it started going downhill.  When I was reading the article I was hoping the vulnerability was only in the newer version(s).
Mics: AT4050ST | AT4031 | AT853 (C/SC) | Line Audio CM3 | Sennheiser e614 | Sennheiser MKE2 | DPA 4061 Pre: CA9200 Decks: Zoom F8 | Roland R-05

Offline The Other Chris

  • Trade Count: (25)
  • Taperssection All-Star
  • ****
  • Posts: 1760
  • Gender: Male
    • My list:
Re: uTorrent Vulnerability
« Reply #2 on: February 21, 2018, 06:32:15 PM »
I use an older version too, any suggestions on a replacement?

Offline Fatah Ruark (aka MIKE B)

  • Trade Count: (11)
  • Needs to get out more...
  • *****
  • Posts: 9938
  • Gender: Male
  • I dream in beige.
    • sloppy.art.ink
Re: uTorrent Vulnerability
« Reply #3 on: February 21, 2018, 06:54:52 PM »
If you disable the recommended settings (WebUI and net.discoverable setting) I don't think you will have an issue (at least a known one).

That being said most people are using older versions that aren't being patched.

I use rtorrent with rutorrent as a WebUI. It works great. Not as easy to set up as uTorrent, but handles a shit ton of torrents easily.
||| MICS:  Beyer CK930 | DPA 4022 | DPA 4080 | Nevaton MCE400 | Sennheiser Ambeo Headset |||
||| PREAMPS: DPA d:vice | Naiant Tinybox | Naiant IPA |||
||| DECKS: Sound Devices MixPre6 | iPod Touch 32GB |||
|||Concert History || LMA Recordings || Live YouTube |||

Offline voltronic

  • Trade Count: (40)
  • Needs to get out more...
  • *****
  • Posts: 4095
Re: uTorrent Vulnerability
« Reply #4 on: February 21, 2018, 08:16:07 PM »
Deluge is the way to go, IMHO.
I am hitting my head against the walls, but the walls are giving way.
- Gustav Mahler

Acoustic Recording Techniques
Team Classical
Team Line Audio
Team DPA

Offline unidentified

  • Trade Count: (10)
  • Taperssection Member
  • ***
  • Posts: 330
  • Gender: Male
Re: uTorrent Vulnerability
« Reply #5 on: February 21, 2018, 10:06:57 PM »
If you disable the recommended settings (WebUI and net.discoverable setting) I don't think you will have an issue (at least a known one).

That being said most people are using older versions that aren't being patched.

I use rtorrent with rutorrent as a WebUI. It works great. Not as easy to set up as uTorrent, but handles a shit ton of torrents easily.

I am more than a bit confused here.  Would running uTorrent 2.0.4 without enabling WebUI be enough to guard against this flaw?  If not, what other settings could be disabled and how would doing so affect  uTorrent's basic functionality?  Many thanks!

Offline Fatah Ruark (aka MIKE B)

  • Trade Count: (11)
  • Needs to get out more...
  • *****
  • Posts: 9938
  • Gender: Male
  • I dream in beige.
    • sloppy.art.ink
Re: uTorrent Vulnerability
« Reply #6 on: February 21, 2018, 10:11:29 PM »
I got this from a "famous torrent site":

Quote
Recently, two security bugs were found in uTorrent in how it sets up its web interface (affecting both uTorrent Web and uTorrent Classic). The full bug report can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524 More information can be found here: https://torrentfreak.com/bittorrent-client-utorrent-suffers-security-vulnerability-180220/

uTorrent web
Basically, this security hole allows an attacker to remotely get access to your uTorrent via the WebUI, and use that for malicious activities, like downloading viruses to your computer. Because of this, I strongly recommend that all users currently using the uTorrent webUI, disable it for the time being. (This applies to both uTorrent web and the WebUI inside 'normal' versions of uTorrent)

uTorrent Classic
Even if you have the WebUI disabled, there is another security bug that can be exploited. Among other things, this bug allows for crashing of uTorrent, and stealing of torrents. to prevent this, I strongly recommend that all uTorrent users disable the 'net.discoverable' setting. Some older uTorrent versions might not have this option. If you cannot find it, you might be safe from this bug.

After applying the setting, you should restart the client. (File>Exit, then starting it again)




« Last Edit: February 21, 2018, 10:13:20 PM by Fatah Ruark (aka MIKE B) »
||| MICS:  Beyer CK930 | DPA 4022 | DPA 4080 | Nevaton MCE400 | Sennheiser Ambeo Headset |||
||| PREAMPS: DPA d:vice | Naiant Tinybox | Naiant IPA |||
||| DECKS: Sound Devices MixPre6 | iPod Touch 32GB |||
|||Concert History || LMA Recordings || Live YouTube |||

Offline Gordon

  • Trade Count: (22)
  • Needs to get out more...
  • *****
  • Posts: 11780
  • Gender: Male
    • my list
Re: uTorrent Vulnerability
« Reply #7 on: February 22, 2018, 09:40:40 AM »
Bummer for those of us that stopped using Qbittorrent for randomly pinging ports.

I've been using utorrent 2.2.1 for every and thought about trying Q.  has the issue you're referring to been fixed?


Yes I know I could disable webui etc (or wait for the bloated update) but I run utorrent on my headless home server and rely on the webui to load torrents, stop/start etc.
Microtech Gefell M20 or M21 > Nbob actives > Naiant PFA > Sound Devices MixPre-6 II @ 32/48

https://archive.org/details/fav-gordonlw

https://archive.org/details/teamdirtysouth

Offline if_then_else

  • Trade Count: (0)
  • Taperssection Member
  • ***
  • Posts: 428
Re: uTorrent Vulnerability
« Reply #8 on: February 22, 2018, 12:12:29 PM »
FWIW: There are some web-ui based frontends for Deluge and Transmission, too.

Offline rocksuitcase

  • Trade Count: (4)
  • Needs to get out more...
  • *****
  • Posts: 8277
  • Gender: Male
    • RockSuitcase: stage photography
Re: uTorrent Vulnerability
« Reply #9 on: February 22, 2018, 01:38:07 PM »
thanks for this. I stopped using utorrent last summer and replaced it with qbitorrent. Since I don't use it I just uninstalled it rather than tweak the settings. Thanks again.     :coolguy:
music IS love

When you get confused, listen to the music play!

Mics:         AKG460|CK61|CK1|CK3|CK8|Beyer M 201E|DPA 4060 SK
Recorders:Marantz PMD661 OADE Concert mod; Tascam DR680 MKI x2; Sony PCM-M10

Offline Gordon

  • Trade Count: (22)
  • Needs to get out more...
  • *****
  • Posts: 11780
  • Gender: Male
    • my list
Re: uTorrent Vulnerability
« Reply #10 on: February 22, 2018, 04:22:10 PM »
FWIW: There are some web-ui based frontends for Deluge and Transmission, too.

saw that and messed with Deluge a little.  I don't have time to figure out command lines for install/configs of plugins etc.  I want simple and easy and qbitorrent seems to fit the bill. 
Microtech Gefell M20 or M21 > Nbob actives > Naiant PFA > Sound Devices MixPre-6 II @ 32/48

https://archive.org/details/fav-gordonlw

https://archive.org/details/teamdirtysouth

Offline rigpimp

  • Trade Count: (14)
  • Needs to get out more...
  • *****
  • Posts: 3176
  • Gender: Male
  • Jarts don't kill people!
Re: uTorrent Vulnerability
« Reply #11 on: February 22, 2018, 04:41:27 PM »
I am unsure how, or if, this was resolved but for those considering Qbitorrent:

http://taperssection.com/index.php?topic=183133.0
Mics: Schoeps MK 5 MP, Schoeps MK 8 MP, Schoeps MK 41 MP, KCY 250/5 > PFA
Pre/A>D/P48: Sonosax SX/M2, Sonosax SX/M2-LS, E.A.A. PSP-2, Baby Nbox, Neumann BS48i-2 (for sale)
Recorders: Sound Devices Mixpre-6ii, Sony PCM-A10
Playback: Jolida 1501 Hybrid > McIntosh MX 130 > Von Schweikert VR-4 JR, or Little Dot MK III > Sennheiser HD700
http://archive.org/bookmarks/kskreider
https://www.concertarchives.org/kskreider
https://archive.org/details/thespps

Offline Gordon

  • Trade Count: (22)
  • Needs to get out more...
  • *****
  • Posts: 11780
  • Gender: Male
    • my list
Re: uTorrent Vulnerability
« Reply #12 on: February 22, 2018, 04:56:33 PM »
I am unsure how, or if, this was resolved but for those considering Qbitorrent:

http://taperssection.com/index.php?topic=183133.0

Did you verify that other users had the same issue?  Google did not turn up much for me.  Are you sure it wasn't do to a connected peer in one of your torrents?  I've seen similar behavior on utorrent due to someone in the swarm.

I've tested the latest and 3.3.16 today and malwarebytes has not detected anything.
Microtech Gefell M20 or M21 > Nbob actives > Naiant PFA > Sound Devices MixPre-6 II @ 32/48

https://archive.org/details/fav-gordonlw

https://archive.org/details/teamdirtysouth

Offline rigpimp

  • Trade Count: (14)
  • Needs to get out more...
  • *****
  • Posts: 3176
  • Gender: Male
  • Jarts don't kill people!
Re: uTorrent Vulnerability
« Reply #13 on: February 22, 2018, 05:00:40 PM »
I am unsure how, or if, this was resolved but for those considering Qbitorrent:

http://taperssection.com/index.php?topic=183133.0

Did you verify that other users had the same issue?  Google did not turn up much for me.  Are you sure it wasn't do to a connected peer in one of your torrents?  I've seen similar behavior on utorrent due to someone in the swarm.

I've tested the latest and 3.3.16 today and malwarebytes has not detected anything.

It has been a while but I am not sure that I was even running any torrents at the point I upgraded.  Hopefully it has all been worked out, whatever it was.
Mics: Schoeps MK 5 MP, Schoeps MK 8 MP, Schoeps MK 41 MP, KCY 250/5 > PFA
Pre/A>D/P48: Sonosax SX/M2, Sonosax SX/M2-LS, E.A.A. PSP-2, Baby Nbox, Neumann BS48i-2 (for sale)
Recorders: Sound Devices Mixpre-6ii, Sony PCM-A10
Playback: Jolida 1501 Hybrid > McIntosh MX 130 > Von Schweikert VR-4 JR, or Little Dot MK III > Sennheiser HD700
http://archive.org/bookmarks/kskreider
https://www.concertarchives.org/kskreider
https://archive.org/details/thespps

Offline tim in jersey

  • Site Supporter
  • Trade Count: (8)
  • Needs to get out more...
  • *
  • Posts: 3786
  • Gender: Male
Re: uTorrent Vulnerability
« Reply #14 on: February 22, 2018, 10:15:56 PM »

 

RSS | Mobile
Page created in 0.083 seconds with 39 queries.
© 2002-2024 Taperssection.com
Powered by SMF