mIRC - Buffer Overflow in IRC:// Protocol
"mIRC attempts to provide a user-friendly interface for use with the Internet Relay Chat network. The IRC network is a virtual meeting place where people from all over the world can meet and talk"
More information at http://www.mirc.com
An attacker can take advantage of a remote buffer overflow vulnerability exists in current version of mIRC to potentially have his malicious code executed under the remote user context.
Execute Arbitrary Code
When Mirc is installed, it registers its own handler for URL of the type "irc:".
Calling "irc://<hostname/server>" from the web browser causes mirc.exe to be executed and ready to connect to irc.backend.com server. By inputting an overly long string to the "irc:" protocol, an attacker is able to overwrite the saved instruction pointer and thus controls the program's execution. For instance:
irc://[buffer]..... where's buffer ~996 bytes
Exploiting this type of vulnerability doesn't require a lot of user intervention. The attacker just needs to entice the mIRC users to click and load his crafted URL. Successful exploitation of this vulnerability allows the attacker to have his malicious code executed under the current user's privilege.
irc://[buffer]..... where's buffer ~996 bytes
The mIRC author has released a newer version (6.11) which fixes the issue. The patched/fixed version is available for download at: http://www.mirc.com/get.html
N/A
Phuong Nguyen (ECQ)
N/A
N/A