SBIE and Pimp My uTorrent

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
There is an ethical java trick called Pimp My uTorrent, it is offered on github
Pimp my uTorrent : An angular.js application that removes the ads in uTorrent with a single click
its purpose is to clean up the uTorrent GUI.
I personally don't use uTorrent, but I wanted to test out Sandboxie's ability to protect the file system from exploits coming in through the browser.
I opened chrome in sandbox, but opened uTorrent regular.
Then I went to the Pimp My uTorrent site, and I was surprised and confused to see that it changed the settings in my uTorrent.
What's up with this?
 
  • Like
Reactions: harlan4096

Sandboxie Help

From Sandboxie
Verified
Developer
Feb 26, 2016
23
Changed settings in the browser?
Did you install /
Run the script? In so, where?
If it's SBIE related, it's best to post this sort of stuff in the SBIE forum so Devs can question it.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Changed settings in the browser?
Did you install /
Run the script? In so, where?
If it's SBIE related, it's best to post this sort of stuff in the SBIE forum so Devs can question it.
I changed no settings in browser, and I don't know what it means to install /
All I did is click on the button on the web page I mentioned, and then I clicked OK on the windows message box that popped up.
I think my question is more about what a sandbox can and cannot do, rather than a specific SBIE issue.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
There is an ethical java trick called Pimp My uTorrent, it is offered on github
Pimp my uTorrent : An angular.js application that removes the ads in uTorrent with a single click
its purpose is to clean up the uTorrent GUI.
I personally don't use uTorrent, but I wanted to test out Sandboxie's ability to protect the file system from exploits coming in through the browser.
I opened chrome in sandbox, but opened uTorrent regular.
Then I went to the Pimp My uTorrent site, and I was surprised and confused to see that it changed the settings in my uTorrent.
What's up with this?

When you click on "Pimp My uTorrent" , there is a connection established with your uTorrent (after asking for redirection to a http connection if you used https) and communications.
If you opened uTorrent "regular", setting can be changed this way by uTorrent itself but initiated (see explanation below ) by the click on "Pimp My uTorrent" , even if chrome is open in a sandbox, because it's the uTorrent Client that makes the modifications.
Notice : uTorrent Client has to be running when you click on "Pimp My uTorrent", or else no communications => no modifications :p

Explanation :
=> To connect to your uTorrent Client "Pimp my uTorrent" uses duckietorrent.torrent.js
This is a small part of its description:
*........
* The Utorrent/Bittorrent clients listen on one of 20 ports on localhost to allow other apps to connect to them.
* Discovery is done by performing a /version request to these ports until the first hit
* After that, an authentication token is requested on the client (you need to save this somewhere, the demo does so in localStorage)
* With the token you can get a session ID, and with the session ID you can start polling for data. Don't poll and the session will expire and you will need to fetch a new session ID with the token.*
* Polling for data results in a tree structure of RPC functions and object data
* The RPC structures are matched against regexes and the parameters are type-checked.
* Passing the wrong data into a callback will crash uTorrent/BitTorrent violently (Which could be an attack angle for security researchers)
*......

"RPC is a kind of request–response protocol. An RPC is initiated by the client, which sends a request message to a known remote / local server to execute a specified procedure with supplied parameters."
In your case, the client is "Pimp my uTorrent", the server is your "uTorrent" (to simplify).

=> duckietorrent.torrent.js can do it with your uTorrent, and modifications are made by your uTorrent Client itself, because it's one of its procedure that is called.

Parameters used , found in controllers.js, which correspond to the values that your uTorrent will change :

var pimpValues = {
'gui.pro_installed': true,
'offers.left_rail_offer_enabled': false,
'offers.sponsored_torrent_offer_enabled': false,
'show_bundles_tab': false,
'offers.featured_content_badge_enabled': false,
'gui.show_plus_upsell_nodes': false,
'gui.show_gate_notify': false,
'gui.show_plus_upsell': false,
'gui.show_plus_av_upsell': false,
'offers.content_offer_autoexec': false,
'offers.featured_content_notifications_enabled': false,
'offers.featured_content_rss_enabled': false
};


I have not investigated more, it's enough to answer you question, I think :)
(02h54 am in my Country, time to go to sleep)

EDITED to be more understandable
 
Last edited:

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
thanks for detailed answer.
please pardon my uneducated question: if this java script can change my file system, even if browser is sandboxed, what is to stop other exploits from changing my file system?
And if exploits can change file system, why run browser in sandbox?

EDIT: it could be argued that sandboxing the browser protects against downloads. But that can be accomplished by an anti-exe.
 
Last edited:
  • Like
Reactions: DardiM
D

Deleted member 178

By default, Sandboxie doesn't stop exploits or malwares ; it just isolate them. To allow process/network blocking, you have to customized it. It is why Sandboxie should never be let in default setting.
 
  • Like
Reactions: DardiM

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
By default, Sandboxie doesn't stop exploits or malwares ; it just isolate them. To allow process/network blocking, you have to customized it. It is why Sandboxie should never be let in default setting.
I have it set so that only chrome processes have permission to run.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
thanks for detailed answer.
please pardon my uneducated question: if this java script can change my file system, even if browser is sandboxed, what is to stop other exploits from changing my file system?
(1) No, it's the uTorrent client which is made/programmed to accept localhost/remote connection from another process.
So, only what the programmer of uTorrent has allowed can be change in uTorrent, and no system files (or only if you gave all access to you uTorrent :eek:).

(2) And if exploits can change file system, why run browser in sandbox?
By default, Sandboxie doesn't stop exploits or malware ; it just isolate them. To allow process/network blocking, you have to customized it. It is why Sandboxie should never be let in default setting.
(3)
I have it set so that only chrome processes have permission to run.
This way, chrome has permission to establish a connection (localhost/port) with your uTorrent Client (which must be running, otherwise nothing happen), using duckietorrent.torrent.js
* The Utorrent/Bittorrent clients listen on one of 20 ports on localhost to allow other apps to connect to them.
* Discovery is done by performing a /version request to these ports until the first hit
* After that, an authentication token is requested on the client (you need to save this somewhere, the demo does so in localStorage)
* With the token you can get a session ID, and with the session ID you can start polling for data. Don't poll and the session will expire and you will need to fetch a new session ID with the token.*
* Polling for data results in a tree structure of RPC functions and object data
* The RPC structures are matched against regexes and the parameters are type-checked.
* Passing the wrong data into a callback will crash uTorrent/BitTorrent violently (Which could be an attack angle for security researchers)
(4) It isn't the JavaScript used by "Pimp My uTorrent" that directly changes your uTorrent settings. It only connect to your uTorrent Client and call a uTorrent Procedure with valid parameters (see my first post to see parameters used). This way it is your uTorrent itself that changes some settings (to removes ads) - and none of your files that can't be accessed by normal use of uTorrent can be change (unless you gave it all rights :rolleyes:).

EDITED to be more understandable
 
Last edited:

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
1) if this java script can change my file system, even if browser is sandboxed, what is to stop other exploits from changing my file system?
=> No, it's the uTorrent client wich is made to accept localhost connection, and communicate this way with another process.
So, only what the creator of uTorrent has allowed can be change uTorrent. Not on sytem files.

2) And if exploits can change file system, why run browser in sandbox?

EDIT: it could be argued that sandboxing the browser protects against downloads. But that can be accomplished by an anti-exe.

3)

This way, chrome has permission to etablish a connection on localhost, on ports, then :



It isn't the JavaScript used by "Pimp My uTorrent" which directly change files. It only communicate with uTorrent Client by Local Neywork, connecting directly to uTorrent Client witch is made to accept this connection and interaction. So only files that can be accessed in normal use by uTorrent can be modified, no system files.
hey, thanks a lot. that clears up a lot of things.
 
  • Like
Reactions: DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I have edited my previous posts, to be more understandable
(I need to improve my English :()
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
je comprends le tout
 
  • Like
Reactions: DardiM
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top