Vulnerability disclosure: remote code execution in Scripting Plugin

A new version of the Scripting DC Plugin has been released today fixing a serious vulnerability that allows attackers to remotely execute any code in the host system running any DC client compatible with DC Plugins, such as DC++. The nature of this vulnerability can cause various security issues, for example it makes the attacker possible to aquire any files from the host’s mounted filesystems.

For successful exploitation, Scripting Plugin version 1.0 should be installed AND enabled in any DC client / versions that support DC Plugins. DC clients having this particular plugin not installed (or installed but as long as the plugin is in disabled state) are NOT vulnerable.

For users running Scripting Plugin version 1.0 it is highly recommended to upgrade to version 1.10 as soon as possible to get protected from this vulnerability.

Please note that a vulnerable function named LuaExec has been completly removed from the plugin’s scripting API and that this release also updates the internal Lua engine to the latest version, both of which changes may cause incompatibilities with existing customly created Lua user scripts.

We’d like to thank RoLex of Team Elite for reporting, sharing proof of concept and recommending fixes for this issue.