[NT] mIRC USERHOST Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 29 Sep 2003 13:05:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
mIRC USERHOST Buffer Overflow
A security vulnerability in mIRC, a popular IRC client for Windows, allows
remote IRC server to cause the IRC client to execute arbitrary code by
overflowing an internal buffer.
* mIRC version 6.01 thru 6.1
When requesting a user's host information, mIRC assumes that the host is
less then 110 bytes. If the host string answered by the server is longer
than 110 bytes, an overflow will occur in mIRC. The overflow allows
overwriting of the EIP pointer.
The victim does not need to type the USERHOST request (/dns) by himself.
Since the mIRC client, when connecting to a server, sends a USERHOST
request to get its local host information.
<- :server.com 001 Victim :Welcome
-> :server.com USERHOST Victim
----- And then , the server's reply -----
<- :server.com 302 Victim:Victim=+~b@cnqXX-XXX.cablevision.qc.ca
Local host: cnqXX-XXX.cablevision.qc.ca (24.212.XX.XXX)
By sending a reply with more than 110 bytes, the overflow will occur:
:server.com 302 Victim:Victim=+~b@
The attacker needs to do the following to successfully exploit the bug:
* Get the victim to connect on his IRC server (irc://)
* Get the victim's mIRC version by sending a CTCP version
The vulnerability allows arbitrary code to be executed on the victim's
machine (it requires the user to connect to a server). By using API
address from mIRC.exe, you do not need to know the exact OS of the victim
to successful exploit the overflow.
An exploit is available to download
<http://whiteroof.netfirms.com/userhost.zip> here. Supposed to work on all
Windows version, mIRC 6.01 thru 6.1
The exploit will attempt to execute a command of your choice, by default
"calc.exe" and then mIRC will crash.
Vendor was notified as to the existence of this issue on September of
2002. He said that it should be fix in his next version of mIRC (currently
The information has been provided by
<mailto:Sylvain.firstname.lastname@example.org> Sylvain Descoteaux.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.