Get the NEW Torrent Search NOW!!


Forum Talk

KTorrent exploits revealed
posted by soulxtc in bittorrent // 667 days 23 minutes ago

For you Ubuntu users out there, it's just been revealed that earlier versions of the KTorrent BitTorrent client server are vulnerable to attack. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges.


It has been reported that versions of the open-source BitTorrent client server KTorrent earlier than 2.1.2 are vulnerable to a pair of hacker attacks.


According to the bug report on the Ubuntu site, the first vulnerability can enable a hacker to cause the application to crash, and also allows them the ability to inject executable code onto a system.



More specifically:


chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value.


CVSS Severity: 7.0 (High)

Range: Remotely exploitable

Authentication: Not required to exploit

Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows disruption of service


The second vulnerability is reported to allow the deliberate overwriting of arbitrary files on a user's system. The problem apparently occurs because the KTorrent BitTorrent client server does not correctly validate the destination file paths or the HAVE statements sent by torrent tracker peers. Inserting the string sequence ".." into the torrent filename is said to be all that is needed to break out of defined directories. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges.


More specifically:


Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.2 allows remote attackers to overwrite arbitrary files via ".." sequences in a torrent filename.


CVSS Severity: 5.6 (Medium)

Range: Remotely exploitable

Authentication: Not required to exploit

Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows disruption of service


In any event, KTorrent version 2.1.2 has been released and addresses both of these critical issues.




RELATED NEWS AND "HOW TO" GUIDES:


3 Quick Ways to Watch Movies for FREE!


3 quick ways to watch TV shows for FREE


BitTorrent tracker sites & search engines


Azureus - A Beginner's Guide to BitTorrent Downloading


uTorrent - A Beginner's guide to BitTorrent downloading


Watch The Simpsons, The Office, Jackass, South Park, Lost, X-Men, and More On-Demand For Free



SOULXTC: "walkin' the streets of P2P"


4

  • #1    Well, that sucks. But, it doesn't affect me because I don't use that applicatioon. Azureus all the way.
    posted by Hath 666 days 23 hours 56 minutes ago

Login to ZeroPaid.com
Username
 Password

* Be sure that you have cookies enabled in your browser, without them you will not be able to login correctly.

Register here if you are not a member of Zeropaid.com.

members that voted for this story
© 2000 - 2008 Zeropaid Inc, All rights reserved.
Company Info | Contact Us | Zeropaid Crew | Advertise | Cheap Cars 		Hosting Provided by:
San Diego Colocation - Complex Drive