mIRC Chat Client Buffer Overflow in Scripting Function May Let Remote Users Execute Arbitrary Code on the System If a Vulnerable Script is Installed on the Target System
|
|
SecurityTracker Alert ID: 1005148 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 28 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 6.00, 6.01, 6.02
|
Description: A buffer overflow vulnerability was reported in the mIRC Windows-based Internet Relay Chat (IRC) client. A mIRC user could install
a remotely-supplied malicious or vulnerable script that will allow a remote user to execute arbitrary code on the system.
A buffer overflow vulnerability reportedly exists in the $asctime scripting function used to format Unix style time stamps. A malicious
script or vulnerable script (which must be downloaded by the target user) can pass a specially crafted string to the $asctime function
to trigger a buffer overflow on the stack and execute arbitrary code.
According to the report, the default script included with
mIRC does not call the $asctime function. However, some major scripts available for download will call the $asctime function to
decode data provided by the IRC server.
There are reported to be several forms in which $asctime can be called by a script.
Vulnerable scripts will apparently contain code such as the following, where the '$4' argument is a value supplied by the remote
IRC server or other remote source:
//echo 1 uuuppz is idle since $asctime($4)"
If the string supplied as the format specifier
is longer than 388 bytes, the return address on the stack will reportedly be overwritten. According to the report, several special
characters cannot be used in the string (including ASCII codes 72, 84, 90, 100, 104, 109, 110, 115, 116, 121, 122).
Demonstration
exploit code is provided at:
http://www.uuuppz.com/research/adv-002-mirc.htm
The report credits Phrizer (DalNET #KORP) with
discovering the flaw.
|
Impact: A remote user may be able to execute arbitrary code on the target user's system if the target user has a malicious script or vulnerable script installed.
|
Solution: The vendor has released a fixed version (6.03), available at:
http://www.mirc.co.uk/get.html
|
Vendor URL: www.mirc.co.uk/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "James Martin" <fulldisclose@uuuppz.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 27 Aug 2002 14:58:50 +0100
From: "James Martin" <fulldisclose@uuuppz.com>
Subject: uuuppz.com - Advisory 002 - mIRC $asctime overflow
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
General Info
- ------------
Researched by: James Martin
Full advisory: http://www.uuuppz.com/research/adv-002-mirc.htm
Exploit: Proof of concept code available at above URL.
Product: mIRC
Website: http://www.mirc.com
Version: V6.00, V6.01, V6.02.
Fix: Download mIRC 6.03 from http://www.mirc.com
Please do not download from unofficial sites, as you may
download
a trojaned version.
Type: Buffer Overrun
Risk: Low to High
Summary
- -------
mIRC provides scripting capabilities to allow extension of the
client. A flaw exists in the $asctime identifier, which is used to
format Unix style time stamps. Passing a string of sufficient length
to $asctime will cause a buffer overflow on the stack. This allows
the execution of byte code through calling $asctime with a carefully
constructed string.
The default script included with mIRC does not call $asctime at any
point. However the majority of major scripts available for download
call $asctime to decode data provided by the irc server. Many scripts
call $asctime on data provided from other remote sources. The
exploitation of this flaw therefore depends on the script installed
by the victim.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPWuC4/L9eRNyreu5EQJe3QCgongMQqFL2oZyX1NWicRxdmdXipIAoKb0
YJPJQ+TJoz9kjC2DKkg6m5OJ
=0cKJ
-----END PGP SIGNATURE-----
|
|
