[Sec] Incorrectly formed ADCGet cause remote crash

Locked
Pretorian
Site Admin
Posts: 214
Joined: 21 Jul 2009, 10:21

[Sec] Incorrectly formed ADCGet cause remote crash

Post by Pretorian » 01 Feb 2013, 23:21

DC++ NULL Pointer Remote Denial of Service Vulnerability is a remote crash report submitted by Crise.

See cologic's report and his follow up that clarifies the command

Pretorian
Site Admin
Posts: 214
Joined: 21 Jul 2009, 10:21

Re: [Sec] Incorrectly formed ADCGet cause remote crash

Post by Pretorian » 01 Feb 2013, 23:34

The following is NOT posted to any other board as this already have a correct CVE number.
DC++ versions below 0.707 supporting the protocol command ADCGET can be remotely crashed

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ uses the protocol Neo-Modus Direct Connect [3] and the command $ADCGET [4] to request files for download.

The command uses a identifier type, identifier (file reference), starting position for data streaming and the amount of bytes to request.

Security issue description

DC++ fails to validate that the identifier is empty, causing a subsequent invalid derefencing.

The following command can be sent to a cause a remote crash;
$ADCGET list //// 0 -1 ZL1|

See "DC++ NULL Pointer Remote Denial of Service Vulnerability" [5] for a reference to a report with CVE: CVE-2008-2953. See also [7] and [8] for additional informatin.

Fix description
A fix was deployed to DC+ 0.707 [6].

Exploits
Unknown.

Affected versions
Any client older than DC++ 0.707 that incorporate $ADCGet.

References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Con ... e_sharing)
[3] http://nmdc.sourceforge.net/NMDC.html
[4] http://nmdc.sourceforge.net/NMDC.html#_adcget
[5] http://www.securityfocus.com/bid/29924
[6] http://cvs.berlios.de/cgi-bin/viewcvs.c ... 14&r2=1.15
[7] https://dcpp.wordpress.com/2010/01/09/d ... isclosure/
[8] http://dcpp.wordpress.com/2011/09/08/ho ... -dc-0-674/

Locked