mIRC version 6.1 and below on Windows 2000 is susceptible to a buffer overflow attack. If a user is tricked into loading a malicious URL that launches the mirc.exe binary, a remote attacker can overwrite the saved instruction pointer and control the program's execution.
a9e13f3872f59f087d58dfa968fdb1427a8f3b76ebe7323d121f741d301735d1
10/07/2003
TITLE
=====
Mirc - Buffer overflow in "IRC" protocol.
DESCRIPTION
===========
"mIRC attempts to provide a user-friendly interface
for use with the Internet Relay Chat network. The IRC
network is a virtual meeting place where people from
all over the world can meet and talk".
More information at http://www.mirc.com
PROBLEMS
========
Affected Version : Mirc 6.1 (latest) and probably
older builds.
Tested Platform : Windows 2000
A buffer overflow vulnerability has been discovered in
Mirc allowing for attackers to execute any commands
remotely against Mirc's users.
DETAILS
=======
When Mirc is installed, it registers its own handler
for URL of the type "irc".
Calling "irc://irc.hackme.com" from our web browser
causes mirc.exe to be executed and ready to connect to
irc.hackme.com server. By inputing an overly long
string to the "irc" protocol, an attacker is able to
overwrite the saved instruction pointer thus controls
the program's execution.
For instance:
irc://[buffer]...... where's buffer >998 bytes
An attacker would be able to gain access to the target
system if he was able to trick the user to load his
special crafted URL. Hence, he can have his code
executed under the current user's privilege.
VENDOR STATUS
=============
Author has released a newer version (6.11) which fixes
the issue, available at http://www.mirc.com/get.html.
Phuong Nguyen
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com