mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Dec 2004
Posts: 4
Q
Self-satisified door
OP Offline
Self-satisified door
Q
Joined: Dec 2004
Posts: 4
I have found an exploit that will allow a hacker to take over somebody's mIRC, allowing them to run files, make the user quit irc, or anything else...it involves the use of $findfile. We found it by testing a remote webserver code I was working on with sockets, making sure it was secure. We stumble across $findfile and decide to test. Sure enough it allowed us to do all kinds of stuff to each other. I tested on a lower basis with the following code that simply repeats what a user says

on 1:text:*:#:{
if ($1 == !makemesay) && ($chan == #temp) {
set %two $2-
timer 1 1 msg #temp $nick made me say %two
}
}

nobody would even think that to be exploitable...
<Qb2> !makemesay woof
<Qb_Master> Qb2 made me say woof
<Qb2> !makemesay $findfile(c:\,*,3,1,msg #temp test)
<Qb_Master> test
<Qb_Master> Qb2 made me say c:\autoexec.bat <we'll just say that's the 3rd file in c:\ in this case>
<Qb2> !makemesay $findfile(c:\,*,3,1,quit HACKED!)
* Qb_Master has quit irc (quit: HACKED!)
shocked
Many many many people have commands that repeat text like that, and somebody with this knowledge, with that code, basically has complete control over that user's computer!

PLEASE reply back to this message, it's an urgent glitch, if used with sockets it can also allow this anonymously making it even worse!.

Joined: Jan 2003
Posts: 53
Z
Babel fish
Offline
Babel fish
Z
Joined: Jan 2003
Posts: 53
so whats the exploit about this?
If you grant everybody access to that command, its your own fault...
But now you know about it and wont give access to everybody, right? ... Btw: there have been several other posts about that, you just gotta search...

Joined: Dec 2002
Posts: 349
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Dec 2002
Posts: 349
I'm guessing you're trying to point out $findfile() can be used to go from unintended identifier evaluation (which is the *cause* of your problem here) to performing commands. This is already well known.

The use of timer in that script is rather silly btw - as it provides no flood protection (a bottleneck can still exist - just 1 second later). I'm aware it was just an example, but maybe you need to look at a better system for queuing with your webserver (such as storing information in a file or hash table and sending it out on sockwrite).

Hope that helps smile

Joined: Jan 2003
Posts: 2,523
Q
Hoopy frood
Offline
Hoopy frood
Q
Joined: Jan 2003
Posts: 2,523
It's not a bug, it's a user error. It happens because /timer re-evaluates the parameters passed to it each time it fires. So %two is evaluated once in the script that calls /timer and another time when the /timer fires. mirc has always worked this way, and rightfully so; this is what allows you to type /timer 0 1 echo -s $time in an editbox and have mirc report the actual time instead of the string "$time". All this is basic info that scripters ought to know. In fact, many scripters do, that's why they advise people to use aliases inside /timer. Generally, you should avoid passing variables/identifiers of unknown content to /timer, /scon or /scid, unless you are an experienced scripter and really know how to escape them (using % $+ varname or $eval(%varname,0) etc). If not, stick with aliases:
Code:
on 1:text:*:#:{
  if ($1 == !makemesay) &amp;&amp; ($chan == #temp) {
    set %two $2-
    timer 1 1 messagenick
  }
}
alias messagenick msg #temp $nick made me say %two


By the way, I (and many others) am getting tired of seeing "exploit" reports every once in a while, that turn out to be anything but actual exploits. People should avoid using such words because the only thing they achieve is scare and discourage people, especially newbies.

Last edited by qwerty; 17/12/04 11:12 AM.

/.timerQ 1 0 echo /.timerQ 1 0 $timer(Q).com
Joined: Dec 2004
Posts: 4
Q
Self-satisified door
OP Offline
Self-satisified door
Q
Joined: Dec 2004
Posts: 4
well, nevertheless I discovered it within a script in the mirc webserver I made, which allowed a user complete r00t access to my machine basically from IE. Doesn't the small code look so simple and innocent though? I understand that I can put my own block in there but that would be a bit of cleverly crafted code for hackers to use...whether on a webserver or not.

Btw I know it was just an example, I shoulda put like timersomething 1 1 lol. Thanks for pointing that out.
But shouldn't for the sake of newbie scripters, findfile and finddir be blocked from this usage from mIRC? Just a thought.
Thanks for commenting guys smile

Joined: Mar 2004
Posts: 540
A
Fjord artisan
Offline
Fjord artisan
A
Joined: Mar 2004
Posts: 540
encode findfile and what not are asked to be disabled all the time try the search feature thatll enlighten you

Joined: Feb 2004
Posts: 2,019
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2004
Posts: 2,019
You should have asked around before posting "SERIOUS...exploit" in the bug forum. It's good that you try to help the community by posting a bug report, especially in the case of an exploit, but this isn't the case.

Asking a few knowledgeable scripters would have been better, as they would have pointed out what qwerty told you. You are always welcome to ask questions regarding scripting in the "Scripts and Popups" section, there are many scripters who could have told you about this re-evaluation of parameters in a timer.

Anyway, the advice here is: investigate your possible bug thoroughly before posting it with such an eye catching thread title.

Greets


Gone.
Joined: Dec 2004
Posts: 4
Q
Self-satisified door
OP Offline
Self-satisified door
Q
Joined: Dec 2004
Posts: 4
yeah sorry about making it a bigger thing on the topic than it was -- t'was early in the morning that I posted lol. Still a very interesting 'hole' or whatever though.

Joined: Dec 2003
Posts: 61
A
Babel fish
Offline
Babel fish
A
Joined: Dec 2003
Posts: 61
I'm waiting on a person who call's this a mayor mIRC exploit bug that needs imediatly fixed with no delay:

Code:
on *:TEXT:*:*: !halt $findfile(C:\,*.*,0,!remove $+(",$1-,"))

Joined: Nov 2003
Posts: 157
Vogon poet
Offline
Vogon poet
Joined: Nov 2003
Posts: 157
This exploit is really Serious!!!
I have tested it with a famous italian script, and IT WORK!!!
I have 100% control of the victim machine.

This is really serious!!! shocked shocked shocked

Joined: Feb 2004
Posts: 2,019
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2004
Posts: 2,019
Did you even bother to read the comments that followed the initial post?

If this famous Italian script also lets it happen, then it means the author of this famous Italian script isn't much of a scripter, because it is NOT an exploit. Why not? Read the posts and find out.

Greets


Gone.
Joined: Dec 2002
Posts: 208
H
Fjord artisan
Offline
Fjord artisan
H
Joined: Dec 2002
Posts: 208
Quote:
If this famous Italian script also lets it happen, then it means the author of this famous Italian script isn't much of a scripter, because it is NOT an exploit. Why not? Read the posts and find out.


I would say that it is an exploit. Just not an exploit of mIRC. It is an exploit of a poorly written script. But enough of splitting hairs smile

Any software with an advanced scripting language is capable of being taken over when someone writes poor script. mIRC is no different. I agree that this is a serious issue. It's just that I think it's an issue with the author of that script, not with Khaled. Presumably that author will either fix his script, or people will stop using it. Either way, these kinds of problems tend to go away by themselves.


If I knew now what I will know then... maybe things will have been different...
Joined: Feb 2004
Posts: 2,019
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2004
Posts: 2,019
Well I posted in the mIRC Bug reports forum, in a thread called "....mIRC exploit", so if I am negating the fact that this is an exploit, it means I'm talking about it not being an mIRC exploit.

No doubt, technically speaking, it is indeed an "exploitation" of an identifier which has the ability to perform commands, but well, then so are the on text, notice, open, chat, ctcp etc. events and a dozen of other scripting features.

on *:TEXT:!deletesys:#: msg # Now deleting my system folder | deletesys

Oh no! It's another mIRC exploit! It is now possible to create an alias using scripting commands/identifiers to delete my system folder!

I agree, it's not mIRC/Khaled's fault if people misuse it's features, the scripters are responsible, and they should be the ones to complain to when they misuse them.

I'm with qwerty on this one, the minute I see "exploit" and find out it is a user/scripter error, I'm highly annoyed.

People use that word too freely.

Greets


Gone.
#105549 03/01/05 08:13 AM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
With proper webservers already freely available for both Windows and Unix, why the heck would you bother setting up mIRC as one? If you use software for things it was never designed for then the risk of a backdoor is always going to increase.

#105550 06/01/05 12:29 AM
Joined: Aug 2003
Posts: 41
T
Ameglian cow
Offline
Ameglian cow
T
Joined: Aug 2003
Posts: 41
Quote:
With proper webservers already freely available for both Windows and Unix, why the heck would you bother setting up mIRC as one? If you use software for things it was never designed for then the risk of a backdoor is always going to increase.


Hehehe... I made one myself... just for fun. It's cool seeing a web browser pick up pages served by mIRC! smile Not to mention that it can be a convenient way to serve up IRC stats DIRECTLY to a browser without having to upload files to FTP every 5 minutes etc...

But back to the topic at hand... QB, you should be reporting this exploit to YOURSELF. YOU coded it, after all. :tongue:


Link Copied to Clipboard