linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1502650] Re: DC++ 0.851 - Arbitrary code execution

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: Fredrik Ullner <ullner@xxxxxxxxx>
Date: Sun, 04 Oct 2015 19:33:08 -0000
Reply-to: Bug 1502650 <1502650@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'll attempt to clarify a few things (after some testing).

It is possible create any form of link that will appear in DC++, e.g.
writing "foo://bar" will cause DC++ to show a clickable link. The only
way to execute that link from basic out-of-the-box behaviour is that the
user is required to doubleclick this link for it to execute. What
happens is that any unknown URI gets passed to ::ShellExecute, which is
just letting Windows handle everything. This means that any Windows will
then find the appropriate URI handler (in file://'s case, it's Windows
Explorer) and let that take care of everything. So I do not think that
this is specifically related to UNC paths or any particular one
protocol.

In Chrome and Internet Explorer, following this type of link in a
webpage (i.e. a href) will cause prompt dialogs for the user, asking
them whether they want to keep or execute the file ("it may harm you").
After the user agrees to the security risk, the browsers does the same
thing as DC++.

There is no such protection or prompts in DC++, which is (what I
believe) is the true bug report here. It is very advisable to include
such protection, even if it is simply a "are you sure you want to do
this" type of dialog and then just continuing on. This prompt should be
done ASAP in any case.

I could not see how a plugin is of any relevance, except for the fact
that plugins may be implemented to ALSO do a non-check on link
execution. I believe this is difficult to impossible to prevent. If
plugin authors decide to implement (automatic) link management in such a
way, it is up to them to prevent it as such.

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1502650

Title:
  DC++ 0.851 - Arbitrary code execution

Status in DC++:
  New

Bug description:
  Details and PoC:
  http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/

  By supplying an UNC path in the *.dcext plugin file or main/pm hub
  chat, a remote file will be automatically downloaded, which can result
  in arbitrary code execution.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions

References

[Bug 1502650] [NEW] DC++ 0.851 - Arbitrary code execution
From: Kacper, 2015-10-04