mIRC Buffer Overflow in irc protocol handler

From: DigitalPranksters (secteam_at_DIGITALPRANKSTERS.COM)
Date: 10/15/03

  • Next message: Menashe Eliezer: "Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail"
    Date:         Wed, 15 Oct 2003 03:36:40 -0500

    DigitalPranksters Security Advisory

    mIRC Buffer Overflow in irc protocol handler

    Risk: High

    Product: mIRC (version 6.1 maybe others we only tested the latest)

    Product URL: http://www.mirc.com

    Vendor Contacted: October 1, 2003

    Vendor Released Patch: October 10, 2003

    DigitalPranksters Public Advisory Released: October 15, 2003

    Found By: KrazySnake - krazysnake@digitalpranksters.com

    Exploited By: AngryB - angryb@digitalpranksters.com
                  KrazySnake - krazysnake@digitalpranksters.com

    When mIRC is installed, a protocol handler is added to your machine. This
    allows web page links to call into mIRC. An example of an IRC link is
    "irc://server/channelName". When the link is followed, mIRC displays a
    dialog asking if the user wishes to connect to the server and channel the
    link has specified. If mIRC isn't already running, it will be launched and
    the dialog displayed.

    mIRC contains a buffer overflow that can be exploited by specifying a
    large string following "irc://" in the link. The user will see the dialog
    asking if he or she wishes to connect to the server specified in the URL.
    Regardless of the user's choice (OK or Cancel), the instruction pointer is
    overwritten with the attacker's data. The attacker also controls the data
    where ESI points allowing him or her to overwrite EIP with the address of
    a CALL or JMP ESI and run arbitrary code.

    Proof of Concept:
    A link like irc://[About 990 chars] will overwrite EIP. This bug is
    exploitable through a web page. We have internally created an exploit.

    Khaled Mardam-Bey (author of mIRC) has fixed this issue in mIRC 6.11. This
    update is available on http://www.mirc.com/get.html. Users should actually
    upgrade to 6.12 since it includes additional fixes.

    SkippyInside, HTMLBCat, Spyder, Harmo, Purple Rain Man, and that bag of
    pork rinds that got us through the exploit.
    Thanks to Khaled Mardam-Bey for fixing this issue.

    Standard disclaimer applies. The opinions expressed in this advisory are
    our own and not of any company. The information within this advisory may
    change without notice. Use of this information constitutes acceptance for
    use in an AS IS condition. There are no warranties with regard to this
    information. In no event shall the author be liable for any damages
    whatsoever arising out of or in connection with the use or spread of this
    information. Any use of this information is at the user's own risk.

    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.

  • Next message: Menashe Eliezer: "Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail"