Why DC++ 0.674 is Insecure

Update 2017-10-21: Invalid ADC commands sent via UDP will crash the app, which DC++ 0.867 fixes, adds one more way to crash DC++ 0.674.

Update 2017-08-02: somehow, six (6) years later, this remains an issue. In that time, the actively developed DC++ and DC++-based clients one might try have become DC++ itself, ApexDC, AirDC++, and EiskaltDC++.

Furthermore, How to crash DC++ 0.674 describes more specifically how to remotely crash DC++ 0.674. It is strongly advised to update to a current version of an actively developed client.

Original post follows.

DC++ 0.674 remains surprisingly popular. However:

• It can be trivially remotely crashed by any other user on an NMDC hub via a client-client connection (fixed since DC++ 0.707).
• Filelists can be constructed to crash it (fixed since DC++ 0.760).
• It can both corrupt downloads and be caused to crash via bad TTH data (fixed since DC++ 0.762).
• Its bzip2 library version allows denial of service and arbitrary code execution (fixed since DC++ 0.780).
• Malformed usercommands can crash it (fixed since DC++ 0.782).

These reasons all apply to any vaguely modern client older than DC++ 0.707 (and the last three to clients through 0.75), actually, but 0.674 seems to have kept the most users of those old versions so I target it specifically. Instead, it’s much safer to use a currently-maintained client; if one prefers a pre-DC++ 0.7xx style GUI, one might look at StrongDC++ or any of its descendants.