[VulnWatch] uuuppz.com - Advisory 002 - mIRC $asctime overflow

From: James Martin (fulldisclose@uuuppz.com)
Date: 08/27/02


From: "James Martin" <fulldisclose@uuuppz.com>
To: <vulndiscuss@vulnwatch.org>, <vulnwatch@vulnwatch.org>, <vuln-dev@securityfocus.com>, <news@securiteam.com>, "Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Date: Tue, 27 Aug 2002 14:58:50 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

General Info
- ------------
Researched by: James Martin
Full advisory: http://www.uuuppz.com/research/adv-002-mirc.htm
Exploit: Proof of concept code available at above URL.

Product: mIRC
Website: http://www.mirc.com
Version: V6.00, V6.01, V6.02.
Fix: Download mIRC 6.03 from http://www.mirc.com
     Please do not download from unofficial sites, as you may
download
     a trojaned version.
Type: Buffer Overrun
Risk: Low to High

Summary
- -------
mIRC provides scripting capabilities to allow extension of the
client. A flaw exists in the $asctime identifier, which is used to
format Unix style time stamps. Passing a string of sufficient length
to $asctime will cause a buffer overflow on the stack. This allows
the execution of byte code through calling $asctime with a carefully
constructed string.

The default script included with mIRC does not call $asctime at any
point. However the majority of major scripts available for download
call $asctime to decode data provided by the irc server. Many scripts
call $asctime on data provided from other remote sources. The
exploitation of this flaw therefore depends on the script installed
by the victim.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPWuC4/L9eRNyreu5EQJe3QCgongMQqFL2oZyX1NWicRxdmdXipIAoKb0
YJPJQ+TJoz9kjC2DKkg6m5OJ
=0cKJ
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-Disclosure] uuuppz.com - Advisory 002 - mIRC $asctime overflow
    ... Fix: Download mIRC 6.03 from http://www.mirc.com ... Please do not download from unofficial sites, ... A flaw exists in the $asctime identifier, ... The default script included with mIRC does not call $asctime at any ...
    (Full-Disclosure)
  • uuuppz.com - Advisory 002 - mIRC $asctime overflow
    ... Fix: Download mIRC 6.03 from http://www.mirc.com ... Please do not download from unofficial sites, ... A flaw exists in the $asctime identifier, ... The default script included with mIRC does not call $asctime at any ...
    (NT-Bugtraq)
  • uuuppz.com - Advisory 002 - mIRC $asctime overflow
    ... Fix: Download mIRC 6.03 from http://www.mirc.com ... Please do not download from unofficial sites, ... A flaw exists in the $asctime identifier, ... The default script included with mIRC does not call $asctime at any ...
    (Bugtraq)
  • Re: mIRC and DameWare
    ... > Dameware Remote System Management Software and also a mIRC ... You've been hacked or infected with a mIRC worm that installed an IRC trojan ... that is configured to download updates daily, ... restore the two or three default group policy security templates one by one. ...
    (microsoft.public.win2000.security)