mIRC Home    About    Download    Register    News    Help

Print Thread
6.* 5.* Vulnerability [2005/12/28] #138804 07/01/06 04:11 AM
Joined: Jan 2006
Posts: 1
A
anonym666 Offline OP
Mostly harmless
OP Offline
Mostly harmless
A
Joined: Jan 2006
Posts: 1
Please read:

http://packetstormsecurity.org/0512-exploits/mIRCexploitXPSP2eng.c

[Editor's note: as far as I can tell, this is neither an exploit nor a vulnerability. The above report describes a local bug in mIRC. The author of the report indicates that any malicious software on your computer can modify your mIRC settings to cause mIRC to crash. But if you have malicious software on your computer, you've already compromised your security...]

Last edited by Khaled; 15/01/06 09:52 PM.
Re: 6.* 5.* Vulnerability [2005/12/28] #138805 07/01/06 06:14 AM
Joined: Dec 2002
Posts: 349
S
Skip Offline
Fjord artisan
Offline
Fjord artisan
S
Joined: Dec 2002
Posts: 349
Thanks for your post, though the author of the code clearly does not use english as their primary language, it may help to explain it a bit further.

To summarise, elements of the locally opened "DCC Get Folder" dialog do not perform proper bounds checking, allowing a *local* user to perform commands with the same privileges (edit: strike as the running mirc.exe). In most cases mIRC does not run with higher privileges anyway.

While this of course should be fixed, I would not consider it critical, in fact if a user has reached the "DCC Get Folder" they can select applications or commands to be run on receival of a file anyway, and IIRC can reach and disable the 'lock gets' option (I think?).

The more pressing security issue would be how the user managed to compile or place any executable on the target machine and then run it. smile

[edit: the exploit does not allow for privilege elevation, merely access to cmd.exe or whatever call required.]

Last edited by Skip; 07/01/06 06:32 AM.
Re: 6.* 5.* Vulnerability [2005/12/28] #138806 07/01/06 09:12 PM
Joined: Oct 2004
Posts: 73
M
Mardeg Offline
Babel fish
Offline
Babel fish
M
Joined: Oct 2004
Posts: 73
I could be completely wrong about this, but is it possible that cmd.exe itself could be used to elevate priveleges?
Code:
 
 >sc create testsvc binpath= "cmd /K start" type= own type= interact

[SC] CreateService SUCCESS

 >sc start testsvc

[SC] StartService FAILED 1053:

 The service did not respond to the start or control request in a timely fashion. 
 

Note that the SC START immediately creates a new CMD window with system priveleges, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

A good firewall should detect this though.

Re: 6.* 5.* Vulnerability [2005/12/28] #138807 10/01/06 02:19 AM
Joined: Apr 2005
Posts: 1,009
raZOR Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2005
Posts: 1,009
Quote:
Edited by Khaled (09/01/2006 09:49)


glad to see you're with us smile


IceCapped
Re: 6.* 5.* Vulnerability [2005/12/28] #138808 10/01/06 02:22 AM
Joined: Sep 2005
Posts: 2,881
H
hixxy Offline
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
We are indeed! laugh