How to deal with a nasty exploit ?

A private forum for us Super-Humans, I even trust you to be able to edit your own posts =)

Moderator: Moderators

Locked
Pothead
Posts: 223
Joined: 2005-01-15 06:55

How to deal with a nasty exploit ?

Post by Pothead » 2006-04-20 19:58

Flow84 has found a serious exploit, which effects both 0.674 and the latest svn build (not tested on earlier versions yet). He doesn't feel comfortable with posting how it works on a forum or anything like that.
He has explained briefly to me about what it can do, and where the problem is located, and it does seem pretty nasty. :(
So just looking for some advice of how to deal with it, like email arnetheduck or gargoylemt (or anyone else) about the details of it, contact them via dc in pm, or any other suggestions ?

ivulfusbar
Posts: 506
Joined: 2003-01-03 07:33

Post by ivulfusbar » 2006-04-21 00:13

I would suggest that he/she contacts Gargoyle and arnetheduck. Include a small proof-of-concept.
Everyone is supposed to download from the hubs, - I don´t know why, but I never do anymore.

ivulfusbar
Posts: 506
Joined: 2003-01-03 07:33

Post by ivulfusbar » 2006-04-21 03:10

Also there is a degree of "nasty" and "exploit". Basicly three degrees of exploits:

1) Will it be possible, or chance to take over the computer and or run code of the exploiters choice.

2) Will it spam the computer into a useless state. (Harddrive-space (due to excessive logging), 100 cpu, DoS et.c.)

3) Will it crash the client.


For (2) and (3) there are already quasi-public ways of acheving it.
Everyone is supposed to download from the hubs, - I don´t know why, but I never do anymore.

Pothead
Posts: 223
Joined: 2005-01-15 06:55

Post by Pothead » 2006-04-21 04:45

ivulfusbar wrote:I would suggest that he/she contacts Gargoyle and arnetheduck. Include a small proof-of-concept.
thanks. I'll pass the message on. :)
ivulfusbar wrote:Also there is a degree of "nasty" and "exploit". Basicly three degrees of exploits:
1) Will it be possible, or chance to take over the computer and or run code of the exploiters choice.
2) Will it spam the computer into a useless state. (Harddrive-space (due to excessive logging), 100 cpu, DoS et.c.)
3) Will it crash the client.
1. Not sure about take over, but some evil minded person could run some code through it.
2. No, but it could kill windows, into a useless state.
3. Nope.

GargoyleMT
DC++ Contributor
Posts: 3212
Joined: 2003-01-07 21:46
Location: .pa.us

Post by GargoyleMT » 2006-04-23 11:04

Has this gone anywhere? Was this part of the chat I glossed over on the private hub about file requests and crashing clients?

ullner
Forum Moderator
Posts: 333
Joined: 2004-09-10 11:00
Contact:

Post by ullner » 2006-04-23 11:14

Code: Select all

[2006-04-21 15:36:49] <fusbar> so Pothead, what was the famous exploit then? ;))
[2006-04-21 15:38:32] <Pothead> basically make folders / files anywhere on harddisk
[2006-04-21 15:38:39] <Pothead> corrupting files if already exist
[2006-04-21 15:40:22] <Pothead> apparently it can also make a File & Folder hybrid, which don't sound good :P
[2006-04-21 15:41:19] <fusbar> UTF8-based?
[2006-04-21 15:41:25] <Trem> yay another way to enforce client restitrictions to get rid of old client =)
[2006-04-21 15:42:16] <Pothead> no idea about utf8-based,  don't really know about stuff like that :P
[2006-04-21 15:42:23] <cologic> The neat thing is that unlike the other one that appeared recently, according to Pothead's description 0.674 - the last one safe from previously announced vulnerabilities - is vulnerable to this one. ;)
[2006-04-21 15:42:24] <Pothead> hehe, good plan Trem :)
[2006-04-21 15:42:39] <Pothead> even lastest SVN has it
[2006-04-21 15:42:40] <Pothead> :P
[2006-04-21 15:44:08] <Pothead> but, hehe, i totally agree with that "Client too old, not supported" :)
[2006-04-21 15:44:36] <fusbar> since dc++ only create files when downloading (except xml-setting-files) ;))
[2006-04-21 15:44:58] <Pothead> nope
[2006-04-21 15:45:08] <Pothead> and the other occurance . . . .
[2006-04-21 15:45:15] <Pothead> which is where the problem lies
[2006-04-21 15:45:20] <cologic> logging?
[2006-04-21 15:45:31] <Pothead> yup :)
[2006-04-21 15:45:32] <fusbar> Well logging aswell.
[2006-04-21 15:45:47] <cologic> Is it basically "I'm the user ..\..\foo"? ;)
[2006-04-21 15:46:02] <fusbar> haven't that been addressed before?
[2006-04-21 15:46:10] <fusbar> when we did the same with sharelists?
[2006-04-21 15:46:16] <Pothead> good guess cologic
[2006-04-21 15:46:18] <Pothead> :)
[2006-04-21 15:46:19] <cologic> (twice ;) )
[2006-04-21 15:46:22] <Pothead> but the issue still exists
[2006-04-21 15:46:36] <fusbar> i wonder if it was never fixed last time.
[2006-04-21 15:46:47] <fusbar> when utf8 introduced it again.
[2006-04-21 15:47:02] <cologic> fusbar, 0.674 fixed the unicode version.
[2006-04-21 15:47:08] <cologic> Supposedly, anyway.
[2006-04-21 15:47:11] <fusbar> logs aswell?
[2006-04-21 15:47:16] <cologic> Oh. No idea.
[2006-04-21 15:47:16] <fusbar> or sharelist?
[2006-04-21 15:47:21] <cologic> Sharelist.
[2006-04-21 15:47:33] <fusbar> lets check changelogs.
[2006-04-21 15:47:41] <cologic> This is a much better exploit that that, though. ;)
[2006-04-21 15:47:55] <cologic> (1) no dealing with rollback. (2) PMs can be sent without the target requesting them.
[2006-04-21 15:48:22] <Pothead> (3) PM's can be sent to everyone on a 10000 user hub, in one go
[2006-04-21 15:48:31] <fusbar> (filelists aswell)
[2006-04-21 15:48:50] <fusbar> (if matchqueue)
[2006-04-21 15:49:15] <cologic> fusbar,
-- 0.674 2005-04-10 --
*** WARNING ***
  This version fixes a security bug, upgrade unless you want to risk losing data
  anywhere on your drive, this error affects all clients from 0.307 to date (thanks cologic for finding it)
*** WARNING ***
[2006-04-21 15:49:37] <cologic> That was the unicode variation on the 0.300 bug.
[2006-04-21 15:49:51] <fusbar> yes, but did we look into the filelogs there?
[2006-04-21 15:50:15] <cologic> No. Basically I and FarCry verified it existed, but no one else really.
[2006-04-21 15:50:23] <cologic> (that I know of)
[2006-04-21 15:50:30] <cologic> And we only did sharelists.
[2006-04-21 15:50:48] <cologic> So I don't know that arne would necessarrily have gone after logging/filelists.
[2006-04-21 15:50:54] <cologic> From that.
[2006-04-21 15:51:06] <Pothead> Proof of concept thingy, flow did . . .  http://flow84.no-ip.org/pictures/dcpp/exploit3.png 
[2006-04-21 15:51:37] <sandos> its kinda amazing how long these can go undetected in clients =)
[2006-04-21 15:51:40] <fusbar> when was the first exploit?
[2006-04-21 15:51:45] <cologic> Also, put enough ".."s in and one just stays at the root.
[2006-04-21 15:51:55] <cologic> Which means it works no matter where DC++ is.
[2006-04-21 15:52:19] <cologic> 
 -- 0.300 2003-10-27 --
*** WARNING ***
  Security update, upgrade unless you want to risk losing files anywhere
  on your hd (this is for all versions prior to this one) (thanks fusbar for bringing 
  it to my attention) 
*** WARNING ***
[2006-04-21 15:52:21] <fusbar> yes...
[2006-04-21 15:52:28] <fusbar> set the botname in here into something ;))
[2006-04-21 15:52:30] <Pothead> well, sandos, i found sommit similar in Recovery Console last week 
[2006-04-21 15:52:43] <fusbar> and "inform you" ;))
[2006-04-21 15:53:07] <sandos> its not like DC++ is used only by a few thousand users.. it has literally millions of downloads.. dont anyone try do anything malicious with DC? ;)
[2006-04-21 15:57:54] <fusbar> it seems that part was never fixed in 0.300
[2006-04-21 15:58:32] <cologic> fusbar: those bugs were about files within filelists. This is apparently about the filelist and/or logfiles themselves.
[2006-04-21 15:58:39] <cologic> Which is a different codepath.
[2006-04-21 15:59:06] <fusbar> I know this has been discussed with nicknames aswell.
[2006-04-21 15:59:40] <fusbar> I will check my log-files tomorrow.
[2006-04-21 16:00:09] <fusbar> i think we checked that hubs with [ISPS] in nicknames would not be affected
[2006-04-21 16:00:16] <fusbar> and made some remark about that.
[2006-04-21 16:45:05] <Pothead> think maybe located problem
[2006-04-21 16:45:19] <Pothead> if nick starts with ..\
[2006-04-21 16:45:45] <Pothead> that don't get checked in Validate filename, by looks of it
[2006-04-21 16:51:34] <Pothead> meh, but i not really good at stuff like that.  off out for a bit. i'll try exploiting myself when i get in, and see if i can see how it going wrong :)
[2006-04-21 18:25:40] <fusbar> yes, only in QueueManager validateFilename was checked in 0.3000

GargoyleMT
DC++ Contributor
Posts: 3212
Joined: 2003-01-07 21:46
Location: .pa.us

Post by GargoyleMT » 2006-04-23 12:51

Thanks. And: wheee.

Pothead
Posts: 223
Joined: 2005-01-15 06:55

Post by Pothead » 2006-04-23 13:59

hehe, he cannot remember how he got out of log directory, or changed the extensions, so still trying to duplicate that one at moment. . . . :)
Another problem is a pm from username
..\\\pip..\\\pippi

makes a kind of file / directory hyrid, which cannot be removed by any normal means. (i had to rd logs /s /q)
Stopping directorys from ending in . (windows gui don't let you make them with that anyway) is one possible way of sorting that one

Code: Select all

	// Directory names cannot end with a . 
	i = 0; 
	while( ((i = tmp.find(".\\", i)) != string::npos) ) { 
		tmp[i] = '_'; 
	} 
	i = 0; 
	while( ((i = tmp.find("./", i)) != string::npos) ) { 
		tmp[i] = '_'; 
	} 

Locked