Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code 



-----------------------------------------------------------------------------
I. BACKGROUND
-----------------------------------------------------------------------------

Miranda IM:
-------------------

Miranda IM is a multi protocol instant messenger client.No bloat, 
it's Easy and Small! Miranda IM is designed to be resource efficient 
and easy to use. It uses very little memory and requires no installation. 
Just unzip and run! This also makes it ideal for users that want to run 
their messenger client from a removable storage such as an USB memory stick. 
It can even be stored on a floppy disc if not too many plugins are used.
It's all about plugins!The powerful plugin system makes Miranda IM extremely 
flexible. Only the most basic features are built in, but there are currently 
more than 350 plugins available for download that allows users to extend the 
functionality in Miranda IM. Plugins can be installed to add support for ICQ, 
AIM, MSN, Jabber, Yahoo, Gadu-Gadu, Tlen, Netsend and other protocols.

For more information, 
visit: http://www.miranda-im.org



Miranda Installer:
-------------------

Miranda Installer allows you to install Miranda nightlies and addons (Plugins, 
LangPacks, Icons, Skins etc.). MirInst is mostly useful for downloading a bunch 
of plugins and other addons, and installing them all at once using MirInst.

For more information, 
visit: http://miranda-im.org/download/details.php?action=viewfile&id=528



-----------------------------------------------------------------------------
II. DESCRIPTION
-----------------------------------------------------------------------------

Miranda Installer and Miranda IM does not properly validate user-supplied plug-ins, 
and installs/executes them directly.

Miranda Installer associates these file extensions when "Register file extensions"
options checked (this option is default).

.mir 
.min 
.mii 
.mis 
.mil 
.mit 
.mio 
.mic 
.mit


The file formats of Miranda Installers plug-ins has a basic structure.
Just make a dll file, then make it a zip archive and rename the filename
that will contain one of the above file extensions.

When double-clicked this file, it'll be open with Miranda Installer.
After it opens, click "Start" button to install this specially crafted
plug-in.

If Miranda IM is open during installation, it'll be closed and re-opened
after installation finished by Miranda Installer.

If Miranda IM is closed during installation, Miranda Installer directly
installs the specified plug-in. Then the user has to open Miranda IM
by hand.

In both situations, when the Miranda IM opens, it will execute our 
plug-in automaticly instead of our specially crafted plug-in
(zipped and then renamed dll file).



-----------------------------------------------------------------------------
III. ANALYSIS
-----------------------------------------------------------------------------

Exploitation allows for arbitrary code execution as the user who opened
and installed the .mir .min .mii .mis .mil .mit .mio .mic .mit files.

Exploitation requires an attacker to craft a malicious file with one of
the above extensions and convince a user to open and install it.



-----------------------------------------------------------------------------
IV. DETECTION
-----------------------------------------------------------------------------

We have confirmed that all versions of Miranda IM and Miranda Installer 
are vulnerable.



-----------------------------------------------------------------------------
V. WORKAROUND
-----------------------------------------------------------------------------

There are no known workarounds for this vulnerability. Although these
files can be disassociated from Miranda Installer, it is still possible to
execute code by installing these files then opening Miranda IM.


-----------------------------------------------------------------------------
VI. PROOF of CONCEPT EXPLOIT
-----------------------------------------------------------------------------

http://www.spyinstructors.com/poc/mirandavuln.mir


This P.o.C Exploit opens a bind shell prompt on port 5252.



-----------------------------------------------------------------------------
               Discovered and Coded By: ATmaCA and Kozan
          atmaca@spyinstructors.com - kozan@spyinstructors.com
                        www.spyinstructors.com
-----------------------------------------------------------------------------