DC++ NULL Pointer Remote Denial of Service Vulnerability is a remote crash report submitted by Crise.
See cologic's report and his follow up that clarifies the command
[Sec] Incorrectly formed ADCGet cause remote crash
-
- Site Admin
- Posts: 214
- Joined: 21 Jul 2009, 10:21
-
- Site Admin
- Posts: 214
- Joined: 21 Jul 2009, 10:21
Re: [Sec] Incorrectly formed ADCGet cause remote crash
The following is NOT posted to any other board as this already have a correct CVE number.
DC++ versions below 0.707 supporting the protocol command ADCGET can be remotely crashed
Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.
DC++ uses the protocol Neo-Modus Direct Connect [3] and the command $ADCGET [4] to request files for download.
The command uses a identifier type, identifier (file reference), starting position for data streaming and the amount of bytes to request.
Security issue description
DC++ fails to validate that the identifier is empty, causing a subsequent invalid derefencing.
The following command can be sent to a cause a remote crash;
$ADCGET list //// 0 -1 ZL1|
See "DC++ NULL Pointer Remote Denial of Service Vulnerability" [5] for a reference to a report with CVE: CVE-2008-2953. See also [7] and [8] for additional informatin.
Fix description
A fix was deployed to DC+ 0.707 [6].
Exploits
Unknown.
Affected versions
Any client older than DC++ 0.707 that incorporate $ADCGet.
References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
[3] http://nmdc.sourceforge.net/NMDC.html
[4] http://nmdc.sourceforge.net/NMDC.html#_adcget
[5] http://www.securityfocus.com/bid/29924
[6] http://cvs.berlios.de/cgi-bin/viewcvs.c ... 14&r2=1.15
[7] https://dcpp.wordpress.com/2010/01/09/d ... isclosure/
[8] http://dcpp.wordpress.com/2011/09/08/ho ... -dc-0-674/