|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
mIRC Buffer Overflow in irc protocol handler
From: DigitalPranksters (secteam
DIGITALPRANKSTERS.COM)
Date: Wed Oct 15 2003 - 03:36:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
DigitalPranksters Security Advisory
http://www.DigitalPranksters.com
mIRC Buffer Overflow in irc protocol handler
Risk: High
Product: mIRC (version 6.1 maybe others we only tested the latest)
Product URL: http://www.mirc.com
Vendor Contacted: October 1, 2003
Vendor Released Patch: October 10, 2003
DigitalPranksters Public Advisory Released: October 15, 2003
Found By: KrazySnake - krazysnakedigitalpranksters.com
Exploited By: AngryB - angrybdigitalpranksters.com
KrazySnake - krazysnakedigitalpranksters.com
Problem:
When mIRC is installed, a protocol handler is added to your machine. This
allows web page links to call into mIRC. An example of an IRC link is
"irc://server/channelName". When the link is followed, mIRC displays a
dialog asking if the user wishes to connect to the server and channel the
link has specified. If mIRC isn't already running, it will be launched and
the dialog displayed.
mIRC contains a buffer overflow that can be exploited by specifying a
large string following "irc://" in the link. The user will see the dialog
asking if he or she wishes to connect to the server specified in the URL.
Regardless of the user's choice (OK or Cancel), the instruction pointer is
overwritten with the attacker's data. The attacker also controls the data
where ESI points allowing him or her to overwrite EIP with the address of
a CALL or JMP ESI and run arbitrary code.
Proof of Concept:
A link like irc://[About 990 chars] will overwrite EIP. This bug is
exploitable through a web page. We have internally created an exploit.
Resolution:
Khaled Mardam-Bey (author of mIRC) has fixed this issue in mIRC 6.11. This
update is available on http://www.mirc.com/get.html. Users should actually
upgrade to 6.12 since it includes additional fixes.
Greetings:
SkippyInside, HTMLBCat, Spyder, Harmo, Purple Rain Man, and that bag of
pork rinds that got us through the exploit.
Thanks to Khaled Mardam-Bey for fixing this issue.
Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are
our own and not of any company. The information within this advisory may
change without notice. Use of this information constitutes acceptance for
use in an AS IS condition. There are no warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]