mIRC Home    About    Download    Register    News    Help

Print Thread
#126271 26/07/05 11:41 PM
Joined: Jul 2005
Posts: 2
D
Dean_ Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
D
Joined: Jul 2005
Posts: 2
Hi I would like to make mIRC users aware, ive checked many websites and i dont see no information on it.

This bug works by auto invite when someone invites you too a channel. so please make sure you DONT have this on....

If you do have it on they can use your mirc and use any command they like.


Regards
Dean

Last edited by Mentality; 26/07/05 11:49 PM.
#126272 26/07/05 11:47 PM
Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Interesting that there is no information stated as for what it does or how it works. Heh.

Let's see now...

Auto-join works like so:

User1 > send invite to User2 to join ____
User2 > /join ___

Now, if someone sent the command to join some code rather than some channel, it would simply give an invalid channel error. I don't see how this can be an exploit in any way, shape, or form...

I could always be wrong, tho.

Last edited by Mentality; 26/07/05 11:49 PM.

Invision Support
#Invision on irc.irchighway.net
#126273 26/07/05 11:53 PM
Joined: Jul 2005
Posts: 2
D
Dean_ Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
D
Joined: Jul 2005
Posts: 2
bro Im not wrong. These people have tooken over chats with this

I cannot tell u the command they use because if people find out people will use it too there advantage.....

Last edited by Mentality; 27/07/05 12:01 AM.
#126274 27/07/05 12:00 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Please do not go posting thread titles in capital letters and shouting "exploit", it causes unnecessary worry/concern.

Firstly, this has been reported before by numerous users and has been known by more, for want of a better word, "experienced" mIRC users for a number of months now. Khaled is aware of the issue. The seriousness of the issue is up for debate of course, both arguments resting quite a bit on presumptions which we don't need to go over in this thread, or any other.

At this time, the BUG is not anywhere near widespread enough to be considered particularly dangerous. It is however a potential serious threat if used properly in the right circumstances. Neither this thread or any other will be used to post methods of exploitation. Attempts at doing so will get threads deleted. Plenty of info and discussion has been sent to Khaled and Krejt too.

I would give two points of advice. One, if you have Autojoin On Invite enabled, you can turn it off with /ajinvite off. If you're not an avid user of this feature but have it turned on for no particular reason, it would be wiser to turn it off. If you use the feature a lot then feel free to continue using it without worry. Secondly, a point which has been raised countless times in the past - please remember not to type anything people tell you to type unless you know for certain what the outcome of it will be.

Thanks for your concern Dean, but don't get too dramatic just yet grin

Regards,


Mentality/Chris
#126275 27/07/05 12:14 AM
Joined: Jul 2005
Posts: 2
H
Bowl of petunias
Offline
Bowl of petunias
H
Joined: Jul 2005
Posts: 2
I have registered and I am posting on regards to a response from Mentality.

I have to totally dis-agree with you. I run a chat hosting service and provide chat services for 22 clients (22 irc servers). This exploit that was just recently discoverd on our network, has been a HUGE issue and if what you are saying is true about it being well known, this bothers me.

We have trust mIRC for its security. I know I have donated 3 times to support it and this is the response I get? Based on the exploit.. ANY command can be run under another irc user without here knowledge and when someone first installs mIRC, the 'auto-join channel on invite' is automatically enabled. I sense a problem with that!

I have nothing else to add at this time.

Last edited by HostXpro; 27/07/05 12:20 AM.
#126276 27/07/05 12:19 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
I am sorry that your server/clients are being affected. However, the protection is easy, and I gave two bits of advice above that, if followed, will protect you.

I'm afraid your servers are not representative of the whole of IRC, and the fact that it is an issue on your servers does not mean it is "widespread".

Quote:
when someone first installs mIRC, the 'auto-join channel on invite' is automatically enabled.


No it isn't.

Regards,


Mentality/Chris
#126277 27/07/05 12:21 AM
Joined: Jul 2005
Posts: 2
H
Bowl of petunias
Offline
Bowl of petunias
H
Joined: Jul 2005
Posts: 2
Thank you for the quick reply. We will do the best we can to prevent the issue and hope theres a fix. From my understanding of programming, it would appear to be an easy fix, but of course I can't say that for sure.

#126278 27/07/05 12:23 AM
Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
*Riamus admits to being wrong about it. Oh well. I don't use it anyhow* smile


Invision Support
#Invision on irc.irchighway.net
#126279 28/07/05 05:34 PM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
You also seem to be getting confused about what the bug allows people to do. The bug will let people call any identifier on the users system, not a command. Also, since channel names can't have commas in them none of the identifiers that let you call commands ($findfile() and $finddir()) can be called using the exploit. It's a relatively low risk bug, but it is still an exploit and should be fixed ASAP.


New username: hixxy
#126280 28/07/05 06:11 PM
Joined: Apr 2004
Posts: 871
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 871
It's not as simple as you think. The bug also lets people call commands - if not directly, then indirectly. This affects every default mIRC installation where the user explicitly turned on autojoin-on-invite, and works on nearly every network. Obviously I'm not going to go into details about this, but I don't think that the risks should be downplayed (intentionally or not).


Saturn, QuakeNet staff
#126281 31/07/05 06:27 PM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
I fail to see how it lets people call commands unless there's a custom alias that doesn't check if (!$isid) before executing code, but I guess I've got no reason to disagree with you smile


New username: hixxy
#126282 01/08/05 06:00 PM
Joined: Sep 2004
Posts: 200
I
Fjord artisan
Offline
Fjord artisan
I
Joined: Sep 2004
Posts: 200
Why not use a snipper for a temporary fix? i.e:
Code:
on *:invite: { /* Not sure if i used this wrong, my PC broke few days ago :(*/
 if (#* !iswm $1) ignore -u3600 $address($nick,2) /* Not sure if i used this right eather :S*/
 else join $1
}

this should let your autojoin work, and ignore the user that invited you if the name of the room isnt a channel.
i used somthing like this, just i made a list of all my frends nicks, and it checked if they were identified with nickserv(better than host, because they went to school/work/ect (chenged their hostname))

#126283 11/08/05 11:07 PM
Joined: Aug 2005
Posts: 128
S
Vogon poet
Offline
Vogon poet
S
Joined: Aug 2005
Posts: 128
Quote:
You also seem to be getting confused about what the bug allows people to do. The bug will let people call any identifier on the users system, not a command. Also, since channel names can't have commas in them none of the identifiers that let you call commands ($findfile() and $finddir()) can be called using the exploit. It's a relatively low risk bug, but it is still an exploit and should be fixed ASAP.

$findfile() and $finddir() are 99% useless.
You can't use , in channel names, but you can't encode them with $encode()
We can't use MIME encode, since we have to specify a ,m (and , is not allowed)
The only way is to use normal $encode(), but in 80% of cases the encoded string contains a '(' or a ')' or a ',' and it can't be decoded only if you use $chr(). but using $chr() here is not possible, so it's not a very big risk, but, anyway, this bug can make you quit the server or send some commands to server.

#126284 11/08/05 11:09 PM
Joined: Aug 2005
Posts: 128
S
Vogon poet
Offline
Vogon poet
S
Joined: Aug 2005
Posts: 128
Quote:
I fail to see how it lets people call commands unless there's a custom alias that doesn't check if (!$isid) before executing code, but I guess I've got no reason to disagree with you smile

By default, there are some. The p,w,s,etc. smile


Link Copied to Clipboard