[NT] mIRC USERHOST Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/03

  • Next message: SecuriTeam: "[NT] ArGoSoft FTP Server XCMD Buffer Overflow"
    To: list@securiteam.com
    Date: 29 Sep 2003 13:05:35 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      mIRC USERHOST Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability in mIRC, a popular IRC client for Windows, allows
    remote IRC server to cause the IRC client to execute arbitrary code by
    overflowing an internal buffer.

    DETAILS

    Vulnerable systems:
     * mIRC version 6.01 thru 6.1

    When requesting a user's host information, mIRC assumes that the host is
    less then 110 bytes. If the host string answered by the server is longer
    than 110 bytes, an overflow will occur in mIRC. The overflow allows
    overwriting of the EIP pointer.

    The victim does not need to type the USERHOST request (/dns) by himself.
    Since the mIRC client, when connecting to a server, sends a USERHOST
    request to get its local host information.

    <- :server.com 001 Victim :Welcome
    -> :server.com USERHOST Victim
    ----- And then , the server's reply -----
    <- :server.com 302 Victim:Victim=+~b@cnqXX-XXX.cablevision.qc.ca
    Local host: cnqXX-XXX.cablevision.qc.ca (24.212.XX.XXX)

    By sending a reply with more than 110 bytes, the overflow will occur:
    :server.com 302 Victim:Victim=+~b@

    The attacker needs to do the following to successfully exploit the bug:
     * Get the victim to connect on his IRC server (irc://)
     * Get the victim's mIRC version by sending a CTCP version

    Impact:
    The vulnerability allows arbitrary code to be executed on the victim's
    machine (it requires the user to connect to a server). By using API
    address from mIRC.exe, you do not need to know the exact OS of the victim
    to successful exploit the overflow.

    Exploit:
    An exploit is available to download
    <http://whiteroof.netfirms.com/userhost.zip> here. Supposed to work on all
    Windows version, mIRC 6.01 thru 6.1

    The exploit will attempt to execute a command of your choice, by default
    "calc.exe" and then mIRC will crash.

    Vendor response:
    Vendor was notified as to the existence of this issue on September of
    2002. He said that it should be fix in his next version of mIRC (currently
    mIRC 6.1)

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:Sylvain.descoteaux@sympatico.ca> Sylvain Descoteaux.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] ArGoSoft FTP Server XCMD Buffer Overflow"

    Relevant Pages

    • [EXPL] mIRC "IRC" Protocol Remote Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a vulnerability in mIRC allows remote attackers ... replacing the shellcode with your own is also ...
      (Securiteam)
    • [NT] mIRC Font Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://mirc.com/> mIRC is a friendly IRC client that is well equipped ... A local buffer overflow with the /font command in mIRC was found. ... char strClass; ...
      (Securiteam)
    • [EXPL] mIRC Unspecified DCC Request Vulnerability (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Unspecified DCC Request Vulnerability, a vulnerability in mIRC allows ...
      (Securiteam)
    • [NT] mIRC Buffer Overflow (irc:// Links)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow in the way mIRC handle irc:// links allows remote ... attackers to cause the program to execute arbitrary code. ... An attacker would be able to gain access to the target system if he was ...
      (Securiteam)
    • [NT] HP Radia Notify Daemon Multiple Buffer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... RADEXECD process with parameters of a greater length than the buffer used ... structures, executes the target process, and waits for it to terminate. ... text:0040619E call _strcpy; overflow here ...
      (Securiteam)