linuxdcpp-team team mailing list archive

[poy <1502650@xxxxxxxxxxxxxxxxxx>]

from what I understand by reading
<http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014
-hardening-group-policy.aspx>, this is well mitigated by the "UNC
Hardened Access" feature that has been introduced.

"Even 3rd party applications and services can take advantage of this new
feature without additional code changes; simply add the necessary
configuration details in Group Policy. If a UNC Provider is able to
establish a connection to the specified server that meets the required
security properties, then the application/service will be able to open
handles as normal; if not, opening handles would fail, thus preventing
insecure access to the remote server."

on the actual issue (whether DC++ should allow clicking on UNC paths), I
have no opinion - maybe people in local networks actually enjoy pasting
links to files stored on some shared network server?

this would input from others, but from what I have gathered, the
security issue has been fixed in Windows itself so I see no reason to
block these links as they can have legit uses.

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1502650

Title:
  DC++ 0.851 - Arbitrary code execution

Status in DC++:
  New

Bug description:
  Details and PoC:
  http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/

  By supplying an UNC path in the *.dcext plugin file or main/pm hub
  chat, a remote file will be automatically downloaded, which can result
  in arbitrary code execution.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions