Re: 0day: mIRC pwns Windows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: 0day: mIRC pwns Windows
From: Greg Rubin <grrubin@xxxxxxxxx>
Date: Thu, 04 Oct 2007 09:04:06 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=zpbvvp3YLgmF38kzdPm3njnNcFCLAPsGtbJ63TPfok4=; b=Lbmtu3liTL6RU51quuIDuVOJz0jM5LpodovXNpEosPBSnm4Aavh3uOrIZ0W2tavP8K7B1g8ir2Zj/igNT+nMekmn/t7q2Aii5qhU92z+czV44Rbl9fZPAWYDYAh/n8TvQdvIejep4cVPJ/FBdXj6lNMIWTAB5BF32lgbGAeVDJ8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=NZ5+kmx6s0Op0flT0JxWEClmE8y9tAy0jMCerdV4yEp9O/RTRyvTOFhnnybdJTPAYVY1SFMddeTVbgeJ/D1IgHi0pDXkwIOLj0Y7B4ARe0PnD57WO1ib7JlpwVrx27q6CfRYtCH4ajFHfHQ8hYW0WXVbKPohpvesZ0v25YMQFn8=
In-reply-to: <1452728596.20071004151202@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Openpgp: url=http://www.nettgryppa.com/gregory_rubin.asc
References: <20071003160629.13184.qmail@xxxxxxxxxxxxxxxxx> <c971c1680710031259m167cd740hd9af518cdfcfc809@xxxxxxxxxxxxxx> <1452728596.20071004151202@xxxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I am still unable to replicate.  It launches FireFox (2.0.0.7) for me
on my system and yeilds the error page "Firefox can't find the server
at %xx..."

If I replace the "%xx" with a null byte (inspired by the recent
protocol handler problems in FF), then it still doesn't work, as per
the mIRC string: http: $+ $chr(0) $+
../../../../../../../../../../../windows/system32/calc.exe"

So far, with various permutations of protocol handlers and odd
characters, I can't reproduce this.

Greg

3APA3A wrote:
> Dear Gavin Hanover,
>
> In  this  very  case  it's  really seems to be mIRC problem ("unfiltered
> shell  characters"). It doesn't depend on URL handler and will work with
> any valid URL handler. You can reproduce same vulnerability by entering
>
>  http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Exploitable under Windows XP, not exploitable under Vista.
>
> --Wednesday, October 3, 2007, 11:59:45 PM, you wrote to
jinc4fareijj@xxxxxxxxxxx:
>
> GH> is this a mirc bug or a mail client bug?
>
>>> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>>>
>


- --
Greg Rubin
grrubin@xxxxxxxxx
GPG: 0x79D0A517

(Interested in encrypting your email? Please ask me how.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFHBQ715KDU23nQpRcRAm4UAKCv4xq/V4pz+uAlPBmb06yEGN4MKQCg7lk1
9JOhTzWLeJs/N4OCjSRuNKk=
=//Ll
-----END PGP SIGNATURE-----

References:
- 0day: mIRC pwns Windows
  - From: jinc4fareijj
- Re: 0day: mIRC pwns Windows
  - From: Gavin Hanover
- Re[2]: 0day: mIRC pwns Windows
  - From: 3APA3A

Prev by Date: FLEA-2007-0059-1 qt qt-tools
Next by Date: Re: iDefense Security Advisory 10.02.07: Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
Previous by thread: Re[2]: 0day: mIRC pwns Windows
Next by thread: Re: Re[2]: 0day: mIRC pwns Windows
Index(es):
- Date
- Thread