DC++ 0.851 - Arbitrary code execution

Tested on Windows 7 x64
DC++ v0.851

Overview:

https://en.wikipedia.org/wiki/DC++

DC++ is an open source client for Windows for the Direct Connect / Advanced Direct Connect network. Direct Connect allows you to share files over the Internet without restrictions or limits. The client is completely free of advertisements and has a nice, easy to use interface. Firewall and router support is integrated and it is easy and convenient to use functionality like multi-hub connections, auto-connections and resuming of downloads.

Download:

http://dcplusplus.sourceforge.net/

http://www.dobreprogramy.pl/DC,Program,Windows,12644.html

Vulnerability description:

DC++: improper handling of unrecognized URIs and directly access to ::ShellExecute function allows arbitrary code execution. This may allow arbitrary applications and files to be launched when a user click on special crafted link on DC++ mainchat or PM, or by process installing special crafted plugin.

https://en.wikipedia.org/wiki/Arbitrary_code_execution

By supplying an UNC path (this can be SMB/WebDav/FTP, or a fileformat that Windows might automount) in the *.dcext plugin file or main/pm hub chat, a remote file will be automatically downloaded, which can result in arbitrary code execution. (easy to execute batch scripts etc...) If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information.

Successful exploitation will result in an attacker gaining the same privileges as the logged on user... and for example:

PoC:

win32/WinUtil.cpp:

void WinUtil::openLink(const tstring& url) {
					::ShellExecute(NULL, NULL, url.c_str(), NULL, NULL, SW_SHOWNORMAL);      <---------------------- {2}
				}

				bool WinUtil::parseLink(const tstring& str, bool followExternal) {
					auto url = Text::fromT(str);
					Util::sanitizeUrl(url);

					string proto, host, port, file, query, fragment;
					Util::decodeUrl(url, proto, host, port, file, query, fragment);

					if(Util::stricmp(proto.c_str(), "adc") == 0 ||
						Util::stricmp(proto.c_str(), "adcs") == 0 ||
						Util::stricmp(proto.c_str(), "dchub") == 0 )
					{
						HubFrame::openWindow(mainWindow->getTabView(), url);

						/// @todo parse other params when RFCs for these schemes have been published.

						return true;

					} else if(followExternal && (!proto.empty() ||
						Util::strnicmp(str.c_str(), _T("www."), 4) == 0 ||
						Util::strnicmp(str.c_str(), _T("mailto:"), 7) == 0))
					{
						openLink(str);      <---------------------- {1}
						return true;

					} else if(host == "magnet") {
						string hash, name, key;
						if(Magnet::parseUri(Text::fromT(str), hash, name, key)) {
							MagnetDlg(mainWindow, Text::toT(hash), Text::toT(name), Text::toT(key)).run();
						} else {
							dwt::MessageBox(mainWindow).show(
								T_("A MAGNET link was given to DC++, but it didn't contain a valid file hash for use on the Direct Connect network.  No action will be taken."),
								T_("MAGNET Link detected"), dwt::MessageBox::BOX_OK, dwt::MessageBox::BOX_ICONEXCLAMATION);
						}
						return true;
					}

					return false;
				}

1# By "file://" URI scheme in normal main chat/PM, link files are not handled properly:

1# Without "file://" URI scheme in normal main chat/PM, link files are not handled properly:

2# By "file://" URI scheme in plugin:

Download plugin PoC.

Download plugin PoC without file:// scheme..

Reference:

https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/bb776886(v=vs.85).aspx

Disclosure Timeline:

2015-10-04 - Vulnerability reported to vendor

2015-10-05 - CVE assign request

Reported by:

Kacper Rybczynski (@kacperybczynski)

Date: 2015-10-04