uTorrent's Recent Vulnerability

[Anna Kushina (櫛名アンナ)]

The uTorrent client was recently updated to fix a null pointer dereference (CVE-2020-8437), discovered by [whtaguy]. Triggering the dereference simply crashes the client — so far an actual RCE hasn’t been found. Given the nature of the null pointer dereference, it’s possible this bug is limited to denial of service. That’s extremely good, because the flaw is extremely easy to target.

BitTorrent is a clever protocol. It’s still used to distribute large files, like Linux ISOs. The concept is simple: Split a large file into small chunks. Send the chunks to a client one at a time. As each chunk is received, the client sends a copy of that chunk to the next client. As a result of this peer-to-peer (p2p) arrangement, the bandwidth available to the server is greatly multiplied. As with all other p2p arrangements, the sticking point is how to make those connections between peers, particularly when most of the world’s desktops are behind NAT routers. In practice, for two peers to share data, at least one of them has to have a port opened or forwarded to the client. This is often accomplished through Universal Plug-n-Play (UPnP) or the NAT Port Mapping Protocol (NAT-PMP). The idea of both protocols are the same; a client on an internal device can request a temporary port forward without manual intervention. Whether it’s a good idea to allow automatic port forwards is another issue for another day.

BitTorrent uses a custom data serialization scheme, bencode, to include more complex data structures in both .torrent files, as well as the handshake sent between peers when connecting. Bencode can represent multiple data types, one of which being a dictionary type. Of interest here is that a dictionary can contain a dictionary as a value, and the protocol doesn’t specify a maximum depth. In the uTorrent client, this depth is tracked internally by using an integer as a bit field, essentially bit-shifting a binary 1 into this integer for each level of dictionary parsed. The bencode decoding code overflows the integer when more than 32 dictionaries are nested. This overflow results in an attempted access of a null pointer, crashing the client.

This vulnerable code can be targeted in two different ways. The first is through a specially crafted torrent file. This is rather uninteresting, as the client simply crashes when trying to open the file. The interesting vector is through peer handshakes. The malicious bencode data can be sent as a part of the handshake, crashing the client on the other end. This ability is intriguing, because it could be used in a targeted DoS attack against a specific torrent.

It’s been pointed out that a popular older version of uTorrent doesn’t have this exact vulnerability, though the normal caution about running outdated software still applies. It’s also possible that similar vulnerabilities could be found in other BitTorrent clients.