Google Project Zero security researcher Tavis Ormandy found that the flaws impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic. uTorrent clients are exposing an RPC server —on port 10000 (uTorrent Classic) and 19575 (uTorrent Web).
Attackers can hide commands inside web pages that interact with this open RPC server, and the attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page.
uTorrent clients are also susceptible to DNS rebinding —a vulnerability that allows the attacker to legitimise his requests to the RPC server.
uTorrent Web has the biggest issues. Ormandy says that an attacker can obtain the RPC server's "authentication secret" to "gain complete control of the [RPC] service" and inherently over the uTorrent Web client. They can download malware on the user's computer, change the default downloads folder location so anything the attacker downloads is automatically executed at the next boot-up.
Ormandy thinks he could retrieve other data from the uTorrent Web client, but since he obtained a full compromise, he did not bother.
The uTorrent Classic client is not as exposed. Ormandy said he could get a list of past downloads and optionally retrieve previously downloaded files from the user's computer —if they were still available.
Ormandy has published two demo pages, for uTorrent Web and uTorrent Classic, as a proof of concept of his findings.
BitTorrent has released version 3.5.3 Beta for the uTorrent Classic client to address the issues, which is expected to reach the stable branch soon. uTorrent Web has already been updated.