![]() ![]() “This requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy wrote. A DNS rebinding attack is when an adversary abuses DNS to trick a browser into not-enforcing a browser’s Same Origin Policy security, a data protection feature found on modern browsers. Users can also opt to pro-actively download a patched version of uTorrent’s desktop client 3.2.Īccording to a Project Zero proof-of-concept attack against either uTorrent clients, an attacker would have to utilize what’s known as a Domain Name Server (DNS) rebinding attack to exploit the flaws. A patch for the existing clients will be pushed out to users in the coming days, according to Dave Rees, VP of engineering at BitTorrent. On Wednesday, the developer of the uTorrent apps, BitTorrent, said the flaw has been fixed in the most recent beta version of the uTorrent Windows desktop app. Those commands range from downloading malware into the targeted PC’s startup folder or gaining access to user’s download activity information. An attacker behind a rogue website, Ormandy said, can exploit this client-side flaw by hiding commands inside web pages that interact with uTorrent’s RPC servers. Simply put, those JSON-RPC issues create a vulnerability in the desktop and web-based uTorrent clients, which both use a web interface to display website content. ![]() Ormandy said the vulnerabilities are easy to exploit and are tied to various JSON-RPC issues, or problems with how the web-based apps handle JavaScript Object Notations (JSON) as they relate to the company’s remote procedure call (RPC) servers. Project Zero gives vendors a 90-day window to patch a vulnerability before publicly disclosing it. Project Zero security researcher Tavis Ormandy published the research on Wednesday after waiting 90 days from the time it notified uTorrent of its discovery. According to researchers, the flaws allow a hacker to either plant malware on a user’s computer or view the user’s past download activity. Google Project Zero researchers are warning of two critical remote code execution vulnerabilities in popular versions of BitTorrent’s web-based uTorrent Web client and its uTorrent Classic desktop client. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |