Page 1 of 1

[Sec] Incorrect URI scheme registration

Posted: 01 Feb 2013, 23:13
by Pretorian
The following was submitted to http://www.securityfocus.com/archive/1
DC++ 0.802 and below incorrectly registers URI schemes in Windows

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ registers three URI schemes in Microsoft Windows; dchub, adc and magnet. Microsoft outlines the approach in 'Registering an Application to a URI scheme' [3].

Security issue description
DC++ 0.802 and below registers the application in the registry key "HKEY_CURRENT_USER/Software/Classes/adc/Shell/Open/Command" (for adc, likewise for dchub and magnet). DC++ registers the application with the following command;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" %1
(where the path mentioned is where DC++ is installed)

Microsoft notes in the 'launching the handler' section that an application should register itself with quotation marks around the parameter that is passed to the application. DC++ 0.802 and below do not do this, as shown above. Microsoft specifies that the proper registration should look like;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" "%1"

Microsoft notes in the same article potential attack vectors and potential formatting problems.

Fix description
A fix was deployed to the DC++ source control on 4th of January, 2013 [4], with the suggested changes from Microsoft. This fix is in DC++ 0.810.

Exploits
No known attacks or exploits are reported at this time.

Found and fixed by: Fredrik Ullner <ullner at gmail.com>

References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
[3] http://msdn.microsoft.com/en-us/library/aa767914.aspx
[4] http://bazaar.launchpad.net/~dcplusplus ... ision/3166
[5] http://sourceforge.net/projects/dcplusp ... nload.html