linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1502650] Re: DC++ 0.851 - Arbitrary code execution

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: Kacper <1502650@xxxxxxxxxxxxxxxxxx>
Date: Sun, 04 Oct 2015 20:12:01 -0000
Reply-to: Bug 1502650 <1502650@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Regarding to "UNC paths" its only example of exploit vector, not main
problem.

What Fredrik wrote makes seanse. Lack of prompt on click maybe can solve
the problem. But please remember that ::ShellExecute scheme/link have
permissions from parent DC++ process (process explorer on screen post
#1) which also may have a security risk for DC++ users.

I think good improvement is create scheme whitelist; (
http://,https://,dchub:// )

Regards

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1502650

Title:
  DC++ 0.851 - Arbitrary code execution

Status in DC++:
  New

Bug description:
  Details and PoC:
  http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/

  By supplying an UNC path in the *.dcext plugin file or main/pm hub
  chat, a remote file will be automatically downloaded, which can result
  in arbitrary code execution.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions

References

[Bug 1502650] [NEW] DC++ 0.851 - Arbitrary code execution
From: Kacper, 2015-10-04