lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Aug 2007 20:57:16 +0200
From: Wouter Coekaerts <>
Subject: Re: Vulnerability in multiple "now playing" scripts for various IRC clients

On Wednesday 15 August 2007 18:27, wrote:
> I may be rusty with knowledge about mirc (say almost 10 years out of
> date)...but, in what situation would the pipe ('|') ever be processed from
> a variable, even if it was read from a mp3 ID3?

It gets processed before it ends up in an mirc variable. The plugin to link 
your media player to mirc sends something like:
"/set %songname <insert song name here>"
And it's when executing that command that it goes wrong already, not in the 
command that's using the variable. That's why it's easier to exploit: the 
user only needs to play the song, he doesn't need to do anything in mirc.

In my old notes, I found that at least these plugins have this problem:
* Nullsoft mIRC Control Plug-in v0.6 (gen_mirc.dll) and other versions
* mIRC Control EX Plug-In V 2.00 (gen_ircex.dll) and other versions
* mIRCPlug v1.0,1.2 (gen_mircplug.dll)

Those are all old plugins. I don't know if they're still used a lot, or what 
the currently popular plugins for this are, and if they're vulnerable or not.

On Wednesday 15 August 2007 19:34, Michael Tharp wrote:
> This is probably a bigger concern for *nix scripts, especially of the
> homebrew variety

I haven't found any public script for a *nix client that allows arbitrary 
command execution like this (they only allow sending IRC commands to the 


Powered by blists - more mailing lists