DC++

Forbidden commands in ADC

Bug #1189975 reported by maksis on 2013-06-11

256

This bug affects 1 person

	Status	Importance	Assigned to
ADCH++	New	Undecided	Unassigned
ADCH++ Lan	New	Critical	Francisco Blas Izquierdo Riera (klondike)
DC++	Fix Released	High	Unassigned

Bug Description

When DC++ receives a STA message with code 25, it adds the command in to the list of forbidden outgoing commands. However, the client doesn't check that the STA message originates from the hub, so any other client could send malicious STA messages and prevent DC++ from sending any outgoing command via the hub. The fix is rather trivial.

I generally dislike the way how code 25 is handled, as DC++ doesn't notify the user when it blocks a command and neither when an outgoing command is disregarded right before sending.

Revision history for this message

Francisco Blas Izquierdo Riera (klondike) (klondike) wrote on 2013-06-12:

I can write a simple script to block these on ADCH++, has any of you managed to confirm this?

Revision history for this message

maksis (maksis) wrote on 2013-06-14:

As it seems that no one is unable to confirm this, I made an user command that will make all DC++ users unable to send main chat messages:
BSTA %[mySID] 225 Chatting\sdisabled FCBMSG

I also quickly looked at the other command handling code and that isn't the only command that isn't validated properly...

Disconnect all users by causing a decompression error:
BZON %[mySID] 123

Prompt all users for a password and prevent them from sending any outgoing commands after that (ADCH++ won't broadcast this but Flexhub and uhub will do that):
BGPA %[mySID] 123

Reset the session password from all users:
BSTA %[mySID] 223 Session\spass\sreset

Revision history for this message

maksis (maksis) wrote on 2013-06-14:

validation.patch Edit (1.4 KiB, text/plain)

Revision history for this message

poy (poy) wrote on 2013-06-17:

most commands the hub can avoid dispatching, except STA (it would have to peek into STA codes and do case-by-case handling) and ZON/ZOFF (extensions) for which i have applied (a slightly modified version of) this patch.

information type:	Private Security → Public Security
Changed in dcplusplus:
importance:	Undecided → High
status:	New → Fix Committed

Revision history for this message

Francisco Blas Izquierdo Riera (klondike) (klondike) wrote on 2013-06-17:

Added ADCH++ and ADCH++ lan we should provide a way to filter those whilst the patches roll out.

Changed in adchpp-lan:
assignee:	nobody → klondike (klondike)
importance:	Undecided → Critical

Revision history for this message

poy (poy) wrote on 2013-06-18:

Fixed in DC++ 0.825.

Changed in dcplusplus:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

validation.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.