Re: 0day: mIRC pwns Windows

To: "jinc4fareijj@xxxxxxxxxxx" <jinc4fareijj@xxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: 0day: mIRC pwns Windows
From: "Gavin Hanover" <netmunky@xxxxxxxxx>
Date: Wed, 3 Oct 2007 12:59:45 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=HxG4tn68zIZ54YD3XVAIW86JcKCbmJKiVWqpIh52gKU=; b=N8ueWu4LxxldVU+Iibj5e4HrVowGvR7Dbr63fE+lOMmpaGbxzCZLf28OqwAnJDvhcvZ98oA5nkuh50pSxycDc9+xpxO1ZoXSZ4Bb3it7IYOSfqIDa9i+yoSKZbeJEtGMryXM2uzwhkcenA1HzZc/plkOeXtzPbjSja5SyckWXOQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=riH/wK+dkFwNF1l/5IasRwoWZ+0TY4J3wVITMSinCtQoGMvCV4FgdKSbhVzjQZFTz66q22ZjEyLtd7hxL/QGD7cYLBMr+TjXbY3HPdU679KbVa81kxggpzSqv6alGeBg8bvz3NbrzobMkUpPbBiGOBUDuaKZbKwoYvO+rfgCEmM=
In-reply-to: <20071003160629.13184.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20071003160629.13184.qmail@xxxxxxxxxxxxxxxxx>

is this a mirc bug or a mail client bug?

on systems with thunderbird installed, this opens a new mail window to %xx...
on systems with outlook/outlook express, this opens calc.exe
(both using mirc 6.3)

similar behavior as clicking start -> run and pasting the URI

regardless, unless you can pass arbitrary arguements or pass data on
to a server, i don't think you're going to find many already existing
executables on the user's system to do malicious tasks with this "mirc
bug". various tests can't even get notepad to open a simple txt file.
you can't even run shutdown.exe without specifying some arguments.

research kills frivolous 0day announcements.

On 3 Oct 2007 16:06:29 -0000, jinc4fareijj@xxxxxxxxxxx
<jinc4fareijj@xxxxxxxxxxx> wrote:
> Yipiya Ypipiya yah yeah. Here is a 0day! hurra mIRC pwns your Windozes! (ref. 
> pdp)
>
> send this to a user and make him double click on it (masquerade it with pink 
> fore/background color and say 'free pr0n click here ->' it works all the 
> time! damned perverts):
> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Now the question is, should we say *0day* for a bug in a core element that is 
> WELL KNOWN by everyone (reported months ago), and will be patched, or should 
> we try to get credits for finding a *vector* as pdp did with the supposed 
> *acrobat reader pdf bug* ?
>
> Fame kills bugs.
>

-- 
In God we trust,
Everyone else must have an x.509 certificate.

Follow-Ups:
- Re[2]: 0day: mIRC pwns Windows
  - From: 3APA3A

References:
- 0day: mIRC pwns Windows
  - From: jinc4fareijj

Prev by Date: rPSA-2007-0205-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
Next by Date: rPSA-2007-0206-1 openssl openssl-scripts
Previous by thread: 0day: mIRC pwns Windows
Next by thread: Re[2]: 0day: mIRC pwns Windows
Index(es):
- Date
- Thread