lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 1 Feb 2013 22:42:44 GMT
From: ullner@...il.com
To: bugtraq@...urityfocus.com
Subject: DC++ 0.802 and below incorrectly registers URI schemes in Windows

DC++ 0.802 and below incorrectly registers URI schemes in Windows

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ registers three URI schemes in Microsoft Windows; dchub, adc and magnet. Microsoft outlines the approach in 'Registering an Application to a URI scheme' [3].

Security issue description
DC++ 0.802 and below registers the application in the registry key "HKEY_CURRENT_USER/Software/Classes/adc/Shell/Open/Command" (for adc, likewise for dchub and magnet). DC++ registers the application with the following command;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" %1
(where the path mentioned is where DC++ is installed)

Microsoft notes in the 'launching the handler' section that an application should register itself with quotation marks around the parameter that is passed to the application. DC++ 0.802 and below do not do this, as shown above. Microsoft specifies that the proper registration should look like;
"C:\Program Files (x86)\DC++\DCPlusPlus.exe" "%1"

Microsoft notes in the same article potential attack vectors and potential formatting problems.

Fix description
A fix was deployed to the DC++ source control on 4th of January, 2013 [4], with the suggested changes from Microsoft. This fix is in DC++ 0.810.

Exploits
No known attacks or exploits are reported at this time.

Affected versions: 0.802 and below. Additionally, any modification of the application may be affected.

Found and fixed by: Fredrik Ullner <ullner at gmail.com>

References
[1] http://dcplusplus.sourceforge.net/
[2] http://en.wikipedia.org/wiki/Direct_Connect_(file_sharing)
[3] http://msdn.microsoft.com/en-us/library/aa767914.aspx
[4] http://bazaar.launchpad.net/~dcplusplus-team/dcplusplus/trunk/revision/3166
[5] http://sourceforge.net/projects/dcplusplus/files/DC%2B%2B%200.810/DCPlusPlus-0.810.exe/download?utm_expid=65835818-0&utm_referrer=http%3A%2F%2Fdcplusplus.sourceforge.net%2Fdownload.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ