[NT] mIRC USERHOST Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/03

  • Next message: SecuriTeam: "[NT] ArGoSoft FTP Server XCMD Buffer Overflow"
    To: list@securiteam.com
    Date: 29 Sep 2003 13:05:35 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      mIRC USERHOST Buffer Overflow


    A security vulnerability in mIRC, a popular IRC client for Windows, allows
    remote IRC server to cause the IRC client to execute arbitrary code by
    overflowing an internal buffer.


    Vulnerable systems:
     * mIRC version 6.01 thru 6.1

    When requesting a user's host information, mIRC assumes that the host is
    less then 110 bytes. If the host string answered by the server is longer
    than 110 bytes, an overflow will occur in mIRC. The overflow allows
    overwriting of the EIP pointer.

    The victim does not need to type the USERHOST request (/dns) by himself.
    Since the mIRC client, when connecting to a server, sends a USERHOST
    request to get its local host information.

    <- :server.com 001 Victim :Welcome
    -> :server.com USERHOST Victim
    ----- And then , the server's reply -----
    <- :server.com 302 Victim:Victim=+~b@cnqXX-XXX.cablevision.qc.ca
    Local host: cnqXX-XXX.cablevision.qc.ca (24.212.XX.XXX)

    By sending a reply with more than 110 bytes, the overflow will occur:
    :server.com 302 Victim:Victim=+~b@

    The attacker needs to do the following to successfully exploit the bug:
     * Get the victim to connect on his IRC server (irc://)
     * Get the victim's mIRC version by sending a CTCP version

    The vulnerability allows arbitrary code to be executed on the victim's
    machine (it requires the user to connect to a server). By using API
    address from mIRC.exe, you do not need to know the exact OS of the victim
    to successful exploit the overflow.

    An exploit is available to download
    <http://whiteroof.netfirms.com/userhost.zip> here. Supposed to work on all
    Windows version, mIRC 6.01 thru 6.1

    The exploit will attempt to execute a command of your choice, by default
    "calc.exe" and then mIRC will crash.

    Vendor response:
    Vendor was notified as to the existence of this issue on September of
    2002. He said that it should be fix in his next version of mIRC (currently
    mIRC 6.1)


    The information has been provided by
    <mailto:Sylvain.descoteaux@sympatico.ca> Sylvain Descoteaux.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] ArGoSoft FTP Server XCMD Buffer Overflow"