This Week in Security: uTorrent Vulnerable, Crowd-Sourcing Your Fail2Ban, and Cryptographers at Casinos

The uTorrent client was recently updated to fix a null pointer dereference (CVE-2020-8437), discovered by [whtaguy]. Triggering the dereference simply crashes the client — so far an actual RCE hasn’t been found. Given the nature of the null pointer dereference, it’s possible this bug is limited to denial of service. That’s extremely good, because the flaw is extremely easy to target.

BitTorrent is a clever protocol. It’s still used to distribute large files, like Linux ISOs. The concept is simple: Split a large file into small chunks. Send the chunks to a client one at a time. As each chunk is received, the client sends a copy of that chunk to the next client. As a result of this peer-to-peer (p2p) arrangement, the bandwidth available to the server is greatly multiplied. As with all other p2p arrangements, the sticking point is how to make those connections between peers, particularly when most of the world’s desktops are behind NAT routers. In practice, for two peers to share data, at least one of them has to have a port opened or forwarded to the client. This is often accomplished through Universal Plug-n-Play (UPnP) or the NAT Port Mapping Protocol (NAT-PMP). The idea of both protocols are the same; a client on an internal device can request a temporary port forward without manual intervention. Whether it’s a good idea to allow automatic port forwards is another issue for another day.

BitTorrent uses a custom data serialization scheme, bencode, to include more complex data structures in both .torrent files, as well as the handshake sent between peers when connecting. Bencode can represent multiple data types, one of which being a dictionary type. Of interest here is that a dictionary can contain a dictionary as a value, and the protocol doesn’t specify a maximum depth. In the uTorrent client, this depth is tracked internally by using an integer as a bit field, essentially bit-shifting a binary 1 into this integer for each level of dictionary parsed. The bencode decoding code overflows the integer when more than 32 dictionaries are nested. This overflow results in an attempted access of a null pointer, crashing the client.

This vulnerable code can be targeted in two different ways. The first is through a specially crafted torrent file. This is rather uninteresting, as the client simply crashes when trying to open the file. The interesting vector is through peer handshakes. The malicious bencode data can be sent as a part of the handshake, crashing the client on the other end. This ability is intriguing, because it could be used in a targeted DoS attack against a specific torrent.

It’s been pointed out that a popular older version of uTorrent doesn’t have this exact vulnerability, though the normal caution about running outdated software still applies. It’s also possible that similar vulnerabilities could be found in other BitTorrent clients.

Crowd-Sourced Fail2ban

If you run a service connected to the internet, then you probably know a bit about fail2ban. It’s a daemon that watches your system logs for repeated events, like an attempt at guessing an SSH password, and temporarily blacklists the IP address making the guesses. It’s a handy tool, but wouldn’t it be even better if that live blacklist could be used on many systems at once? Crowdsec aims to be that solution. Once installed and opted-in, each event of interest is turned into a data point consisting of the IP, event type, and timestamp, and uploaded to the central database. From there, each report is then folded in to the continually evolving blacklist. The project is young, but this might be one to keep your eyes on.

When a Cryptographer Goes to the (Virtual) Casino

Our old friends, the NCC Group, took aim at a niche industry, online gambling. Specifically, they took a look at online roulette wheel gambling, but their techniques are widely applicable.

The first principle to understand is that the house always wins. To put it another way, the gambling establishment is guaranteed to make a profit. Understanding exactly how that works can be important. In the case of roulette, both types of wagers are stacked slightly towards the house. The margin is small enough that even a minor advantage can turn the tables. So, one of the easiest avenues to examine is the random number generator. Find the list of winning numbers, and see if some numbers actually come up more often. A quick trick the authors shared: represent the numbers as a bitmapped image. The human brain is exceptionally good at recognizing patterns when the data is displayed the right way.

Another possible weakness is how the close of betting is implemented. If a user could modify the site’s JS in the browser, he could send bets later than intended. If the server-side doesn’t carefully check for such an attack, late bets could give a player an edge. The entire write-up is full of interesting strategies, both for general web security research, as well as gambling and roulette specific strategies.

Bits and Bytes

Remember the botched AES implementation in Microsoft’s Active Directory? The US Cybersecurity and Infrastructure Security Agency (CISA) has deemed it a severe enough risk that any government systems that haven’t been patched (as of the 22nd), are to be permanently disconnected from government networks.

Drupal just released an update that addresses a cross-site scripting (XSS) vulnerability. An XSS attack is one where one user can inject some JavaScript into a website, and it runs when other users view the impacted page. (The Samy worm on Myspace being the prime example.) There isn’t much additional detail available at this time, but this problem is in Drupal core, rather than a 3rd party plugin, so the impact is potentially quite wide. Go dust off those Drupal installs, and get them updated!