SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   mIRC Vendors:   mIRC Co. Ltd.
mIRC Chat Client Discloses User Nickname and Other Information to Remote Users via Direct Client-to-Client Protocol
SecurityTracker Alert ID:  1003760
SecurityTracker URL:  http://securitytracker.com/id/1003760
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2002
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in the mIRC Internet Relay Chat (IRC) client software. A remote user can obtain the user's nickname ("nick") as well as some other information.

It is reported that there is an error in mIRC's impmelentation of the Direct Client-to-Client (DCC) server protocol. A remote user can reportedly determine the victim's nickname, whether or not the victim is ignoring the remote user's request for a direct connection, and whether the victim is connected to other IRC servers.

The vulnerability can reportedly be triggered by a remote user connecting to an open DCC server and typing '100 testing'. Then, regardless of what the victim user does, the server will apparently always responded with '151 <their_nick>'.

To determine if the target user is ignoring the connection request, the remote usre can time the server response to see if the response times are different (apparently indicating that a user is clicking on the application).

To determine if the victim user is active on on another server, the remote user can reportedly compare the returned nick to the nick that the victim user has on the local IRC server. If the nicks are different, then the victim user is likely active on another server.
Impact:   A remote user can determine another user's nickname and whether the user is manually refusing the connection request.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mirc.co.uk/ (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  6 Mar 2002 22:40:34 -0000
Subject:  mIRC DCC Server Security Flaw




Good afternoon,

There is an error in the impmelentation of the mIRC 
DCC server protocol.

This venerability allows an attacker to obtain:
1) The victim's nickname.
2) Whether or not the victim is ignoring the attackers 
requests for a direct connection.
3) Information regarding the number of IRC servers a 
user is connected to.

The protocol itself can be found in mIRC's help file so 
I won't go into it here, but the problem is..

1) Make a connection to the open DCC server.

2) Type: 100 testing

3) From this point on, there is nothing that the user 
can do to prevent you from obtaining his or her nick. 
Regardless of whether they 
select "Accept", "Cancel", "Ignore", or click on the "X" 
to close the chat request completely, the server will 
*ALWAYS* respond with their nick in the form:

151 <their_nick>

This clearly shouldn't be the case. Even if they wait 
until the DCC Server times out, a default of 300 
seconds, the server still replies with their nick.

As for determining if someone is "ignoring" the 
request... you just have to time to see how fast the 
server replies with the information. If the timings are 
ever different, someone is sitting there and clicking 
on things.

Now for finding out if they are on another server - 
compare the returned nick, to the nick that they have 
on the local IRC server you are on them with. If it's 
different, they are on another server with this other 
nick. I *think*, there may be exceptions to this. Also, 
this is all dependant if you are on an IRC server with 
them, but it is still a possible attack.

Solutions:
1) Simply have the server return the nick if, and only 
if, the "victim" accepts the connection - NEVER when 
they select "Cancel", and definitely not when they 
select "Ignore".

2) Have an option to not close the connection for a 
set amount of seconds, even after the "victim" 
makes their choice of ignoring the chat.

3) I suggest the possibility of having a DCC Server 
Nick, which is always the same for DCC Chats 
made through the server.

4) It would also be nice to have the ability of:
a) Seeing when people connect to this port, even if 
the request fails.
b) Having some sort of port filtering, so that you can 
accept/deny IPs, without the need for a 3rd party 
firewall.

Of course, this all falls apart if you do not know what 
port the DCC Server is running on. But it seems the 
majority of users leave it to the default settings - 
hopefully this will teach some people to be a little 
more careful, and not use default port numbers for 
services such as this. As we know though, this 
information could of course be scanned for rather 
simply, so even changing the port upon which this 
service listens will not solve all of the problems.

This is definately an error in the coding of it because 
the help file documents a 150 and 151 reply, and they 
are used for some responses but not all of them.

-James Evans


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC