RE: Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code

From: Richard Stanway (bugtraq_at_secur1ty.net)
Date: 04/11/05

  • Next message: Andrew: "Microsoft Windows image rendering DoS vuln" 
    To: <bugtraq@securityfocus.com>
Date: Mon, 11 Apr 2005 18:43:51 +0100

    >
    > Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code
    >
    > ...
    >
    > Exploitation requires an attacker to craft a malicious file with one of
    > the above extensions and convince a user to open and install it.

    Is this really a vulnerability in Miranda IM or in user behaviour? I don't
    see many advisories published for web browsers, yet they all allow arbitrary
    code execution. All you have to do is convince a user to click a link to a
    .exe file and press the open button.

    Yes, perhaps there should be more warning that untrusted plugins can be
    dangerous, but this is really down to the user. If the Miranda Installer
    automatically associated itself with .mir files and opened/installed them
    with no confirmation I could understand the problem, but the user has to
    both choose to download the plugin, choose to run/open the .mir file and
    then again choose to install it. I don't see how the installer is supposed
    to "validate" a plugin without automatically disassembling it and looking
    for malicious code since by nature all plugins are just DLLs that get loaded
    by Miranda.

    There are countless other applications that will load DLLs as plugins, I
    don't see how they are any more protected against malicious DLLs than
    Miranda is. I don't really think that just because Miranda provides an
    installer to copy the DLL to the plugins folder that it is any more
    vulnerable than any other application that instructs users to put DLL files
    into the plugins (or equivelant) directories.

    Rich.

  • Next message: Andrew: "Microsoft Windows image rendering DoS vuln"