[Sec] Incorrect URI scheme registration
Posted: 01 Feb 2013, 23:13
The following was submitted to http://www.securityfocus.com/archive/1
DC++ 0.802 and below incorrectly registers URI schemes in Windows
DC++  is a chat and file sharing application for the Direct Connect  network.
DC++ registers three URI schemes in Microsoft Windows; dchub, adc and magnet. Microsoft outlines the approach in 'Registering an Application to a URI scheme' .
Security issue description
DC++ 0.802 and below registers the application in the registry key "HKEY_CURRENT_USER/Software/Classes/adc/Shell/Open/Command" (for adc, likewise for dchub and magnet). DC++ registers the application with the following command;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" %1
(where the path mentioned is where DC++ is installed)
Microsoft notes in the 'launching the handler' section that an application should register itself with quotation marks around the parameter that is passed to the application. DC++ 0.802 and below do not do this, as shown above. Microsoft specifies that the proper registration should look like;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" "%1"
Microsoft notes in the same article potential attack vectors and potential formatting problems.
A fix was deployed to the DC++ source control on 4th of January, 2013 , with the suggested changes from Microsoft. This fix is in DC++ 0.810.
No known attacks or exploits are reported at this time.
Found and fixed by: Fredrik Ullner <ullner at gmail.com>
 http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
 http://bazaar.launchpad.net/~dcplusplus ... ision/3166
 http://sourceforge.net/projects/dcplusp ... nload.html