mIRC versions 6.03 and below has limited visibility during a DCC GET that allows for an attacker to spoof a legitimate file and instead send an executable that can lead to a compromise.
1526285a6cfee9ec7f27c916f95f1a43e3c750528310833886e933edd45409b5I. BACKGROUND
mIRC is "a friendly IRC client that is well equipped with options and
tools"
More information about the application is available at
http://www.mirc.com
II. DESCRIPTION
The DCC GET dialog has a limited area visible for the filename.
By DCC sending a file with a specially crafted filename it's possible to
'spoof' a legitimate file.
III. ANALYSIS
Sending a file which name consists of for example 'me.mpg' + 'about 180
"alt-0160(fakespace)"' + '.exe' leads the recieving user into believing
that the file is merely a harmless mpeg file, while it is in fact an
executable. mIRC has a handy 'open' button upon completion of the dcc,
so unless the user actually opens the download folder and verifies the
extension of the file, a compromise is possible.
IIIa. MITIGATING FACTORS
If the remote user has DCC ignore enabled this will of course not work.
IV. DETECTION
mirc 6.03 and below has been found vulnerable.
V. WORKAROUND
unknown
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
unknown
IX. CREDIT
Knud Erik Højgaard/kokanin[a]dtors.net
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed