Opinion: uT 2.2.1 hasn't been conclusively been proven to be vulnerable to RPC

bsaambl · February 26, 2018

I post this opinion found in another forum because I agree 100% with the whole argument:

I feel compelled to write this post because there's a bit of misinformation & scattered discussion.

There might be (common) opinion that all (previous) versions of uT (including 2.2.1) is vulnerable to the recent RPC attack (or under certain conditions), but sites are starting to ban all of uT, even versions that aren't vulnerable. This is not intended as a thread to discuss uT alternatives as dT & qBT have their own quirks (forced rechecking on drive disconnect & foldering/naming issues). ** This thread is mainly intended to provide & garner accurate info/updates/discussion & to persuade sites to allow 2.2.1.

To sites that have banned 2.2.1: I hope you reconsider. To sites that have not banned 2.2.1: Kudos to you (especially if you have changed position)**

There is only evidence that Travis only tested 3.5 https://bugs.chromium.org/p/project-...-lg==&inline=1

*Actually, 2.2.1 is not vulnerable even when net.discoverable isn't set to false

From user 3***:

"Even without setting net.discoverable to false, uTorrent 2.2.1 doesn't have any endpoints that can crash the client or obtain info about the user's system. So in it's default state the worst somebody can do is annoying popups."
"I disassembled it myself; it has less than half a dozen RPC endpoints"

(3*** supposedly disassembled it too). Nevertheless it is generally advised to set net.discoverable=false

Some tests show that 221 might not be vulnerable https://bugs.chromium.org/p/project-...il?id=1524#c24

(i tested it myself too)

Maybe some other versions might not be vulnerable

From another user: "A few self reports show now of 3.1.3 and 3.2.3 not being vulnerable."

"I have run the PoC tests against v2.0.4 and v3.3.1, and the result is the same as described in previous comments. Only the popups showed."
https://bugs.chromium.org/p/project-...il?id=1524#c30

I haven't tested these myself

But uT 221 is bad & so it's old!!!

https://en.wikipedia.org/wiki/Appeal_to_novelty

But uT 221 is bad & it won't be fixed!!!

It's old, but not vulnerable.

"As far as I know, old versions are not security supported - I wouldn't recommend using them. I haven't looked, and as the vendor wouldn't patch it anyway, it doesn't seem useful to audit old versions. "

https://bugs.chromium.org/p/project-...il?id=1524#c16

Travis said he hasn't tested it. Possible confuction may arise from his phrasing

"I haven't looked, and as [it's vulnerable] the vendor wouldn't patch it anyway"

Correct interpretation: "I haven't looked, and as [it's not security supported] the vendor wouldn't patch it [if it's vulnerable]"

But uT 221 might have other security holes since it's old & unsupported!!!

uT 221 has proven itself time & time again through multiple fiascos that it is not vulnerable to them (flash ads, this RPC)

My opinion: I believe banning uT 2.2.1 is the dumbest decision private trackers admins have ever made, and the truth is they already have a bunch of them in the past. You can't hurry and take snappy actions in a state of panic. The whole thing will probably backfire soon enough, but the consequences are going to be nasty unfortunately (for all of us).
You can't screw with one of the best things that trackers are built on and expect nothing bad will come out of it.
uT 2.2.1 has proven itself to be the best client in many years and is illogical to be written off in a night's time without adequate evidence to support that.
If it ain't broken, don't fix it.