[Sec] Incorrectly formed ADCGet cause remote crash

DC++ NULL Pointer Remote Denial of Service Vulnerability is a remote crash report submitted by Crise.

See cologic’s report and his follow up that clarifies the command

The following is NOT posted to any other board as this already have a correct CVE number.

DC++ versions below 0.707 supporting the protocol command ADCGET can be remotely crashed

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ uses the protocol Neo-Modus Direct Connect [3] and the command $ADCGET [4] to request files for download.

The command uses a identifier type, identifier (file reference), starting position for data streaming and the amount of bytes to request.

Security issue description

DC++ fails to validate that the identifier is empty, causing a subsequent invalid derefencing.

The following command can be sent to a cause a remote crash;
$ADCGET list //// 0 -1 ZL1|

See “DC++ NULL Pointer Remote Denial of Service Vulnerability” [5] for a reference to a report with CVE: CVE-2008-2953. See also [7] and [8] for additional informatin.

Fix description
A fix was deployed to DC+ 0.707 [6].

Exploits
Unknown.

Affected versions
Any client older than DC++ 0.707 that incorporate $ADCGet.

References
[1] > http://dcplusplus.sourceforge.net/
[2] > http://en.wikipedia.org/wiki/Direct_Connect_(file_sharing)
[3] > http://nmdc.sourceforge.net/NMDC.html
[4] > http://nmdc.sourceforge.net/NMDC.html#_adcget
[5] > http://www.securityfocus.com/bid/29924
[6] > http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/ShareManager.cpp?r1=1.14&r2=1.15
[7] > https://dcpp.wordpress.com/2010/01/09/dc-remote-crashexploit-disclosure/
[8] > http://dcpp.wordpress.com/2011/09/08/how-to-crash-dc-0-674/