[Sec] Remote crash with multiple magnet links

Locked
Pretorian
Site Admin
Posts: 214
Joined: 21 Jul 2009, 10:21

[Sec] Remote crash with multiple magnet links

Post by Pretorian » 01 Feb 2013, 23:14

The following was submitted to http://www.securityfocus.com/archive/1
DC++ 0.797 and 0.799 can be remotely crashed by posting multiple magnet links in one message

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ registers the URI scheme 'magnet' [3] in Microsoft Windows. A user may post a magnet link in the chat at it will appear for other users. This message is like any other chat message.

Security issue description
DC++ 0.797 and 0.799 change the way a magnet link appear, which cause a problem in the parsing engine when multiple messages were shown.

A magnet link is sent in the form of;
magnet:?xt=urn:tree:tiger:H5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso

DC++ changes the appearance and display to the user;
foobar.iso (magnet)

Using multiple magnet links can cause DC++ 0.797 and 0.799 to be crashed remotely, without any other user interaction.

A test message can be in the form of;
Test: magnet:?xt=urn:tree:tiger:H5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso magnet:?xt=urn:tree:tiger:GNPE66SMDITMA6JXLWCTCRDSY7ALZXLJJWYKLAA&xl=3540652293&dn=foobar2.iso
This will appear as;
Test: foobar.iso (magnet) foobar2.iso (magnet)

Fix description
A fix was deploy to the DC++ source code, to the Bazaar revision 3019. This fix is in DC++ 0.800.

Exploits
Like the initial bug report [4] mentions, this has been found out in the open. However, any malicious intent is unknown.

Affected versions
DC++ 0.797 and 0.799. Any modifcations to the software may also have this issue.

Found by: Skip de Groot (https://launchpad.net/~skipdegroot)
Fixed by: poy (https://launchpad.net/~poy)

References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
[3] http://en.wikipedia.org/wiki/Magnet_URI_scheme
[4] https://bugs.launchpad.net/dcplusplus/+bug/1032227
[5] http://dcpp.wordpress.com/2012/10/06/ma ... 785-0-799/

Locked