TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-060-002
Countries: IN, CN
Report Date: 20180228
μTorrent Flaw lets Attackers control your PC remotely
A Google security researcher discovered a serious remote code execution vulnerability in both the μTorrent desktop app for Windows and the newly launched ‘μTorrent Web.’ This vulnerability allows users to download and stream torrents directly into their web browser.
μTorrent Classic and μTorrent Web apps, if installed, may run in the background on Windows machines. This identified vulnerability starts a locally hosted HTTP RPC server on ports 10000 and 19575 and will access its interfaces over any web browser. These RPC servers could allow remote attackers to take control of the torrent download software with little user interaction.
Domain Name System Rebinding
The applications are vulnerable to DNS binding attack. In this attack, a malicious web page will cause visitors to run a client-side script that attacks machines elsewhere on the network.[1] In order to execute a DNS rebinding attack, a hacker can create a malicious website with a DNS name which will resolve to the local IP address of the computer running a vulnerable μTorrent app. Proof of concept exploits were also provided at https://lock.cmpxchg8b.com/Moer0kae.html.
Prevention and Mitigation Strategies
μTorrent has already pushed patches in the following releases:
- μTorrent Stable 3.5.3.44358
- BitTorrent Stable 7.10.3.44359
- μTorrent Beta 3.5.3.44352
- μTorrent Web 0.12.0.502
Our members are advised to update to the latest version of the μTorrent software as soon as possible.[2]
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com
[1] https://en.wikipedia.org/wiki/DNS_rebinding
[2] https://thehackernews.com/2018/02/torrent-download-software.html
Comments