Date: Mon, 11 Apr 2005 18:43:51 +0100
From: "Richard Stanway" <bugtraq@...ur1ty.net>
To: <bugtraq@...urityfocus.com>
Subject: RE: Miranda IM and Miranda Installer Let Local Users Execute    Arbitrary Code



>
> Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code
>
> ...
>
> Exploitation requires an attacker to craft a malicious file with one of
> the above extensions and convince a user to open and install it.

Is this really a vulnerability in Miranda IM or in user behaviour? I don't
see many advisories published for web browsers, yet they all allow arbitrary
code execution. All you have to do is convince a user to click a link to a
.exe file and press the open button.

Yes, perhaps there should be more warning that untrusted plugins can be
dangerous, but this is really down to the user. If the Miranda Installer
automatically associated itself with .mir files and opened/installed them
with no confirmation I could understand the problem, but the user has to
both choose to download the plugin, choose to run/open the .mir file and
then again choose to install it. I don't see how the installer is supposed
to "validate" a plugin without automatically disassembling it and looking
for malicious code since by nature all plugins are just DLLs that get loaded
by Miranda.

There are countless other applications that will load DLLs as plugins, I
don't see how they are any more protected against malicious DLLs than
Miranda is. I don't really think that just because Miranda provides an
installer to copy the DLL to the plugins folder that it is any more
vulnerable than any other application that instructs users to put DLL files
into the plugins (or equivelant) directories.

Rich.

Powered by blists - more mailing lists