DC++ 0.867 is out – Vulnerability disclosure

October 21, 2017 by 1 Comment

DC++ 0.867 has been released and also marked as the stable release. It fixes a serious remotely exploitable vulnerability that would crash the client if a malicious attacker sends trivially compilable malformed search result messages.

The victim should not need to initiate searches and the attacker should not need to be logged on to a hub for a successful exploitation altough the obvious place for finding victims and collecting attack surface information are the DC hubs.

Clients configured to a working active connectivity mode are the easiest targets, especially when logged in to any kind of Direct Connect hubs. Theoretically exploits can be created for clients running in passive mode, too, using possible additional weaknesses in various hub software.

The vulnerability seems to be exist as far back as in version 0.671 (released in 2005) and in all newer releases up to DC++ 0.866. Many other DC clients based on dclib, the core library of DC++ and released over the last 12 years should be vulnerable, too.

The vulnerability report and detalis are now publicly available in the DC++ bug tracker. Updating and using the newest, most secure DC clients has never been more important so the best everyone can do is to head over the DC++ download page and upgrade as soon as possible.

Filed under Clients, DC++, General, Release, Security

About emtee
I started to use DC using DC++ in 2003 when its version number was around 0.260. Since then I've been amazed by the DC network: a professional but still easy-to-use way of P2P file sharing. I was invited to the DC++ team in 2006 where - in the beginning - I had been doing user support and some testing only. A few years later I started to add small contributions to the DC++ code as well so for many years I'd been doing mostly bug fixes, testing, feature proposals and improvements. At the same time I worked on improving the documentation for both DC++ and ADCH++ as well. These days I'm trying to maintain the whole code and the infrastructure behind to keep these software secure and usable for a prolonged time. My ultimate goal is to help making the DC network as more user friendly as possible.

One Response to DC++ 0.867 is out – Vulnerability disclosure

  1. moblues1 says:
    January 30, 2019 at 8:00 pm

    DC++ 0.867 “can’t open large filelist” Any suggestions?

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: