uTorrent CVE-2020-8437 Vulnerability And Exploit Overview
The world’s most popular torrent client, uTorrent, contained a security vulnerability — later to be called CVE-2020-8437— that could be exploited by a remote attacker to crash and corrupt any uTorrent instance connected to the internet. As white-hat hackers, my friend (who wishes to remain anonymous) and I reported this vulnerability as soon as we found it and it was quickly fixed. Now, after ample time has been given for users to update, it’s safe to disclose an overview of the vulnerability and how to exploit it.
Torrent Protocol - What You Need To Know
BitTorrent Handshake
Handshake Packet Format
- Name Length - 1 byte unsigned int - The length of the string that follows.
- Protocol Name - variable length string - The protocol the initiating peer supports. This field is for future compatibility, but is set to “BitTorrent protocol” in all major implementations.
- Reserved Bytes - 8 byte bitfield - Each bit represents a protocol extension (functionality) that was not part of the original BitTorrent specification. Modern torrent clients utilize this field to communicate their advanced capabilities, which are then used for an optimized download. Today, the grand majority of torrent clients support the “Extension Protocol” extension (confusing name, I know), the 20th bit in this bit field, that provides a foundation for exchanging information about other extensions. Yes, you understood that correctly: there is an extension bit that allows for even more extensions. I wonder what such a complicated protocol can lead to 😉.
- Info Hash - 20 byte SHA1 - Used to identify the torrent the initiating peer wants to download, this is the hash of all the information needed to download the torrent (torrent name, hashes of file sections, file section size, file section count, etc…).
- Peer ID - 20 byte buffer - A self-designated random ID the initiating peer gives itself.
![]() |
Figure 1. BitTorrent handshake packet #1 as seen in Wireshark |
After a peer receives a handshake packet, it replies with its own handshake packet in the exact same format.
If both peers set the Extension Protocol bit in the Reserved Bytes field, the peers then exchange further information about extensions, using an “Extended” message handshake.
BitTorrent Extended Message Handshake
Extended Message Handshake Packet Format
- Length - 4 bytes unsigned int - the length of the entire message that follows
- BitTorrent Message Type - 1 byte - The BitTorrent message ID of this packet. This is set to 20 (0x14) for Extended Messages
- BitTorrent Extended Message Type - 1 byte - The Extended Message ID of this extended message. This is set to 0 for an extension exchange.
- M - dynamically sized - a bencoded dictionary of the supplemental extensions supported.
![]() |
Figure 2. Extended Message Extension Exchange |
Bencoded Dictionaries
![]() |
Figure 3. A Bencoded Dictionary Is Very Similar To A Python Dictionary |
![]() |
Figure 4. Both Formats (But We Only Care About Bencoded Dictionaries) can contain more dictionaries inside themselves |
The CVE-2020-8437 Vulnerability
![]() |
Figure 5. uTorrent crash message 🥳 |
Exploiting CVE-2020-8437
Remote Peer Exploit
As described earlier, when two peers that support Extended Messages start communicating with each other, they each send a packet enumerating the various extensions they support. That information about supported extensions is sent as a bencoded dictionary, and since that bencoded dictionary gets parsed by the client, if that dictionary is malicious (having more than 32 nested dictionaries layers), it will trigger CVE-2020-8437. 😊Torrent File Exploit
.torrent files encapsulate the most basic information a client needs to start downloading torrents. These files are openly and commonly shared on torrent websites, downloaded, and then opened by torrent clients, effectively making these files a possible vehicle for triggering vulnerabilities in those torrent clients. Let me take you on a behind-the-scenes-sneak-peek-never-before-seen-on-live-tv look at the internals of a .torrent file, exposing how simple it is to use it to trigger CVE-2020-8437: a .torrent file is simply a bencoded dictionary saved as a file. So to exploit CVE-2020-8437 from a .torrent file, you just need to save a malicious bencoded dictionary to a file and give that file the .torrent extension.Check out my .torrent file exploit.
Comments
Post a Comment