Vulnerability disclosure: remote code execution in Scripting Plugin

A new version of the Scripting DC Plugin has been released today fixing a serious vulnerability that allows attackers to remotely execute any code in the host system running any DC client compatible with DC Plugins, such as DC++. The nature of this vulnerability can cause various security issues, for example it makes the attacker possible to aquire any files from the host’s mounted filesystems.

For successful exploitation, Scripting Plugin version 1.0 should be installed AND enabled in any DC client / versions that support DC Plugins. DC clients having this particular plugin not installed (or installed but as long as the plugin is in disabled state) are NOT vulnerable.

For users running Scripting Plugin version 1.0 it is highly recommended to upgrade to version 1.10 as soon as possible to get protected from this vulnerability.

Please note that a vulnerable function named LuaExec has been completly removed from the plugin’s scripting API and that this release also updates the internal Lua engine to the latest version, both of which changes may cause incompatibilities with existing customly created Lua user scripts.

We’d like to thank RoLex of Team Elite for reporting, sharing proof of concept and recommending fixes for this issue.

DC++ 0.881 is out

A new DC++ release has been made available to download this week. Version 0.881 continues to be a largely code maintenance release, however, this time it also comes with some improvements on the user interface as well.

First and foremost with this release DC++ is moved to a modern compiler platform that produces an executable that shoud be considered secure and acceptable by modern Windows versions long term, with their default security settings. Since these defaults can change and go stricter at anytime it is highly recommended for users running Windows 11 to upgrade their DC++ to version 0.881.

There’s also a revamp of many icons throughout the user interface which makes DC++ more fit visually to modern Windows themes. An away status indicator overlay is also added to the taskbar icon. The look of the list of users and their details in the Users window has been modernized as well; more of this kind of improvements to come in the next release.

The optimized (64-bit) build is now compiled with use of SSE4.2 CPU instructions making further improvements in performance for those with capable hardware. We still provide a legacy (32-bit) build for users with older computers.

Plenty of supporting libraries that DC++ has built in have also been upgraded to the latest and greatest versions, improving security and stability.

There are also many less important or unlisted improvements; for a complete list of fixes as always please refer to the changelog or the list of commits.

As usual, the availability of this new testing release will be advertised at the start of the program for a small set of the userbase from now. If no bigger problems are reported, DC++ 0.881 will be set as a stable release within a few weeks.

DC++ 0.880 is out

The first DC++ release that brings a few notable changes since last fall’s version 0.870 has been made available to download this week. Version 0.880 marks the start of a new era, an active maintenance mode if you like, that we announced roughly a year ago. Along with that line there are no new significant functional improvements to be expected in the foreseeable future – we focus on possible speed and resource optimizations, bug fixes, compatibility as well as to keep the program up-to-date security wise. So finally you get the first pack of those improvements with DC++ 0.880.

Here are the most important changes, the already announced ones listed first:

• DC++ is being released under GPLv3 from now.
• Binary distributions split to optimized and legacy with according hardware requirements
• Used a new updated compiler version for better performance that allowed optimizations for speed, compatibilty with modern Windows versions and more.
• This version introduces a new stable hublist server.
• Fully restored the use of an up-to-date GeoIP country database service, the one allows you to see what country a DC user is from, determined by their IP address. Country info display was absent or has relied on a pretty outdated static database in the last few years so this goes back to normal from now.
• Hublists caching have changed according to the joint proposal of all hublist server owners: downloaded cached lists are set to expire in 24 hours from now by default. But this simple method alone would break the original purpose of the hublist caching function which has been introduced years ago to help users finding public DC hubs when hublists providers are out of service. So now we implemented a change with the original purpose in mind: cached lists are deleted only if a hublist refresh is successful. When a hublist download attempt fails or the resulting list is invalid the proper cached copy of hublists are being kept (even indefinitely e.g. when the source server is discontinued).
• Added a safeguard to attempt outgoing ADC connections on IPv4 only if there’s no IPv6 connectivity available. So far this decision was based only on information coming from hubs which, in case of improper IP address information supply, could break transfers and searches in DC++. There is at least one ADC hubsoftware that has such a buggy behavior triggering the issue so this change actually fixes existing problems already experienced in the wild.

There’s also a few less important or unlisted fixes improving security, stability and usability; for a complete list of fixes as always please refer to the changelog or the list of commits.

The availability of this new testing release will be advertised for a smaller set of users who are running the latest stable release of DC++. If no severe issues arise, DC++ 0.880 will be marked as stable within a few weeks.

DC++ license change

A quick but important notice: from version 0.880 (release imminent) and on DC++ will come with General Public License version 3. The license upgrade has been done with the written approval of Jacek Sieka, the original author and copyright holder of DC++.

This change is important for the future maintainability of DC++ since some external data sources and (future versions of) libraries (will) require a compatible license. The change should be equally important to projects using code from DC++ for the same reason.

DC++ 0.871 is out

A new testing version of DC++, 0.871 is pushed out today with only a few but very important updates of security and stability:

• Fixed a bug that restores web connections to certain servers with multiple hostnames, unfortunately including our SourceForge host server. This means that we’re unable to show the usual announcement of the available update at the start of previously released DC++ versions – therefore everyone should do the upgrade manually this time by visiting our official project host website’s download page. Please make sure, for your own safety, that you always download DC++ from the official site and not from other 3rd party websites search engines may suggest.
• Updated the secure connections library (OpenSSL) fixing a serious, rather easily exploitable issue that can allow malicious DOS attacks. This should certainly impact all released DC++ versions since 0.851, but older versions from the last 15 years might also be affected.
• Added a new, opt-out mechanism that time to time informs a random subset our userbase about possible new testing releases, similarly as it is done for stable releases, at the start of the program.

This important release should be marked as stable within a few days. Please everyone upgrade as soon as possible and due to the circumstances, this time, if you can, help us with encouraging others to do the same. Thank you!

DC++ 0.870 is out

Later is better than never, years after the release of the previous version, a testing version of DC++ 0.870 is now available with various library updates for security and stability, mandatory TLS 1.2+ support, revised selection of public hub lists, fixed GeoIP country display and numerous bug fixes including one that has been present for at least 15 years.

The following are the most important, user observable improvements:

• DC++ 0.870 and later will require TLS 1.2 or newer (currently only TLS 1.3)-based ADCS connections to hubs and other clients. This has already been announced before and is now done with this release.
• GeoIP files aren’t deleted after an unsuccessful download and thus does not leave the user without GeoIP data for the session. The country data display in the Transfer View and Search window is also fixed.

The list of complete changes for this new version are available here.

This release has gone through the usual testing cycle and should be marked as the new stable release within a few days.

Updating and using the newest, most secure DC clients is always important so users who want to give the new release an early go can head over the DC++ download page and do the upgrade now.

DC++ 0.868 is out and marked as stable

A year after the previous version, DC++ 0.868 is now available with various library updates (notably OpenSSL 1.1.1 with TLS 1.3 support) and a revised selection of public hub lists.

The list of public hubs came with the client has been pretty much outdated for some time. A few previously listed servers are already defunct while some are changed their web addresses. Therefore a refreshed list of secure and working hublist servers was long overdue. Many of such new public hublists will get auto-added to your collection upon the update to version 0.868 due to a change of policy regarding hublist server defaults. In the past a change of default hublist servers were not reflected in the actual settings – you had to remove  all existing server entries manually to get the updated defaults. This method, being deemed a bit cumbersome, has changed; in this release the addition will happen automatically and it will be the same in case of any future changes as well. A “Reset hub lists” button is also available in the settings should you want to quickly clean up the list of servers and get back to the defaults.

With the OpenSSL library update, DC++ 0.868 introduces support for TLS version 1.3 and is automatically preferring this newest secure communication standard when connecting to other DC clients and hubs. Backwards compatibility to the earlier versions of the protocol is decided to be maintained, similarly to most of the modern popular web browser software, until at least 2020.

Above the aforemntioned feature updates this is a maintanence release, with a few small updates here and there. There’s also a feature removal: support for the long defunct (and often criticised) Coral CDN network ended with this version.

Due to the useful features and security related fixes an immediate upgrade from earlier versions of DC++ is highly recommended.

 

DC++ 0.867 is out – Vulnerability disclosure

DC++ 0.867 has been released and also marked as the stable release. It fixes a serious remotely exploitable vulnerability that would crash the client if a malicious attacker sends trivially compilable malformed search result messages.

The victim should not need to initiate searches and the attacker should not need to be logged on to a hub for a successful exploitation altough the obvious place for finding victims and collecting attack surface information are the DC hubs.

Clients configured to a working active connectivity mode are the easiest targets, especially when logged in to any kind of Direct Connect hubs. Theoretically exploits can be created for clients running in passive mode, too, using possible additional weaknesses in various hub software.

The vulnerability seems to be exist as far back as in version 0.671 (released in 2005) and in all newer releases up to DC++ 0.866. Many other DC clients based on dclib, the core library of DC++ and released over the last 12 years should be vulnerable, too.

The vulnerability report and detalis are now publicly available in the DC++ bug tracker. Updating and using the newest, most secure DC clients has never been more important so the best everyone can do is to head over the DC++ download page and upgrade as soon as possible.

DC++ 0.866

DC++ 0.866 is out. This release fixes a serious issue that allows remote denial of service attacks (ability to freeze the client remotely by any user of the connected hubs).  Besides the hardened security, version 0.866 also improves UPnP port mapping which might fix certain issues with the automatic connectivity setup.

The details of the vulnerability will be disclosed as soon as 0.866 or any forthcoming DC++ release is marked as stable.

DC++ 0.865 is out and marked as stable

DC++ 0.865 has been released with zlib and OpenSSL libraries have been updated. The compression issue found in the previous version has been fixed therefore upgrading to version 0.865 is highly recommended.