DC++ 0.797 and 0.799 can be remotely crashed by posting multiple magnet links in one message
Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.
DC++ registers the URI scheme 'magnet' [3] in Microsoft Windows. A user may post a magnet link in the chat at it will appear for other users. This message is like any other chat message.
Security issue description
DC++ 0.797 and 0.799 change the way a magnet link appear, which cause a problem in the parsing engine when multiple messages were shown.
A magnet link is sent in the form of;
magnet:?xt=urn:treeH5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso
DC++ changes the appearance and display to the user;
foobar.iso (magnet)
Using multiple magnet links can cause DC++ 0.797 and 0.799 to be crashed remotely, without any other user interaction.
A test message can be in the form of;
Test: magnet:?xt=urn:treeH5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso magnet:?xt=urn:treeGNPE66SMDITMA6JXLWCTCRDSY7ALZXLJJWYKLAA&xl=3540652293&dn=foobar2.iso
This will appear as;
Test: foobar.iso (magnet) foobar2.iso (magnet)
Fix description
A fix was deploy to the DC++ source code, to the Bazaar revision 3019. This fix is in DC++ 0.800.
Exploits
Like the initial bug report [4] mentions, this has been found out in the open. However, any malicious intent is unknown.
Affected versions
DC++ 0.797 and 0.799. Any modifcations to the software may also have this issue.
Found by: Skip de Groot (https://launchpad.net/~skipdegroot)
Fixed by: poy (https://launchpad.net/~poy)
References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
[3] http://en.wikipedia.org/wiki/Magnet_URI_scheme
[4] https://bugs.launchpad.net/dcplusplus/+bug/1032227
[5] http://dcpp.wordpress.com/2012/10/06/ma ... 785-0-799/
[Sec] Remote crash with multiple magnet links
-
- Site Admin
- Posts: 214
- Joined: 21 Jul 2009, 10:21
[Sec] Remote crash with multiple magnet links
The following was submitted to http://www.securityfocus.com/archive/1