Security Advisory for all clients
Posted: 19 May 2010, 10:29
Well guys im back with another grim report on WHY its important to update your client. Some of my other security reports was about older older exploits so i thought it was high time to show off some new stuff thats effecting the net.
Type of attack: Remote
Information:This attack sends a faulty command that results in a crash
How we solved it: Applied the update of Openssl
"Record of death" vulnerability
Type of attack: Local/Remote
Information: This attack can crash DC++ and mods during transfer or when opening local filelist
How we solved it: Well we did it so the client generates a new filelist on the spot everytime someone grabs a filelist that way it cant be repleaced by a malicous filelist.
DC++ 0.75 and older vulnerable to bzip2 filelist bomb
And for the interesting part every operator that uses old clients that arent updated like CrzDC++ Zion++ etc etc. You guys know what im talking about YES YOU ARE EXPLOITABLE..
As for the standard complaint that i dont want a strong based client well consider this Zion++ > 2.03 is strong with minor modifcations on top of it.
CrzDC++ doubt it hasnt gotten StrongDC++ since it uses CMD so i doubt that operators will know the diffrence if they apply thier icon theme to the client if they are heavely into operator feature i recommend RSX++.
And as for all the new stuff that we are doing well if you wanna use em you have to update like Nattrav (Passive-Passive) connections. So make sure your client bases of a fresh core....
Type of attack: Remote
Information:This attack sends a faulty command that results in a crash
How we solved it: Applied the update of Openssl
"Record of death" vulnerability
Type of attack: Local/Remote
Information: This attack can crash DC++ and mods during transfer or when opening local filelist
How we solved it: Well we did it so the client generates a new filelist on the spot everytime someone grabs a filelist that way it cant be repleaced by a malicous filelist.
DC++ 0.75 and older vulnerable to bzip2 filelist bomb
And for the interesting part every operator that uses old clients that arent updated like CrzDC++ Zion++ etc etc. You guys know what im talking about YES YOU ARE EXPLOITABLE..
As for the standard complaint that i dont want a strong based client well consider this Zion++ > 2.03 is strong with minor modifcations on top of it.
CrzDC++ doubt it hasnt gotten StrongDC++ since it uses CMD so i doubt that operators will know the diffrence if they apply thier icon theme to the client if they are heavely into operator feature i recommend RSX++.
And as for all the new stuff that we are doing well if you wanna use em you have to update like Nattrav (Passive-Passive) connections. So make sure your client bases of a fresh core....