exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mirandaIM.txt

mirandaIM.txt
Posted Apr 18, 2005
Authored by ATmaCA, Kozan | Site spyinstructors.com

The Miranda IM client lets local user execute arbitrary code due to not properly validating user supplied plugins.

tags | advisory, arbitrary, local
SHA-256 | f7ac52705bdbc1b682893178e8ea6cb750ffe9ff19e84eb128bb9140c7f55a0c

mirandaIM.txt

Change Mirror Download


Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code



-----------------------------------------------------------------------------
I. BACKGROUND
-----------------------------------------------------------------------------

Miranda IM:
-------------------

Miranda IM is a multi protocol instant messenger client.No bloat,
it's Easy and Small! Miranda IM is designed to be resource efficient
and easy to use. It uses very little memory and requires no installation.
Just unzip and run! This also makes it ideal for users that want to run
their messenger client from a removable storage such as an USB memory stick.
It can even be stored on a floppy disc if not too many plugins are used.
It's all about plugins!The powerful plugin system makes Miranda IM extremely
flexible. Only the most basic features are built in, but there are currently
more than 350 plugins available for download that allows users to extend the
functionality in Miranda IM. Plugins can be installed to add support for ICQ,
AIM, MSN, Jabber, Yahoo, Gadu-Gadu, Tlen, Netsend and other protocols.

For more information,
visit: http://www.miranda-im.org



Miranda Installer:
-------------------

Miranda Installer allows you to install Miranda nightlies and addons (Plugins,
LangPacks, Icons, Skins etc.). MirInst is mostly useful for downloading a bunch
of plugins and other addons, and installing them all at once using MirInst.

For more information,
visit: http://miranda-im.org/download/details.php?action=viewfile&id=528



-----------------------------------------------------------------------------
II. DESCRIPTION
-----------------------------------------------------------------------------

Miranda Installer and Miranda IM does not properly validate user-supplied plug-ins,
and installs/executes them directly.

Miranda Installer associates these file extensions when "Register file extensions"
options checked (this option is default).

.mir
.min
.mii
.mis
.mil
.mit
.mio
.mic
.mit


The file formats of Miranda Installers plug-ins has a basic structure.
Just make a dll file, then make it a zip archive and rename the filename
that will contain one of the above file extensions.

When double-clicked this file, it'll be open with Miranda Installer.
After it opens, click "Start" button to install this specially crafted
plug-in.

If Miranda IM is open during installation, it'll be closed and re-opened
after installation finished by Miranda Installer.

If Miranda IM is closed during installation, Miranda Installer directly
installs the specified plug-in. Then the user has to open Miranda IM
by hand.

In both situations, when the Miranda IM opens, it will execute our
plug-in automaticly instead of our specially crafted plug-in
(zipped and then renamed dll file).



-----------------------------------------------------------------------------
III. ANALYSIS
-----------------------------------------------------------------------------

Exploitation allows for arbitrary code execution as the user who opened
and installed the .mir .min .mii .mis .mil .mit .mio .mic .mit files.

Exploitation requires an attacker to craft a malicious file with one of
the above extensions and convince a user to open and install it.



-----------------------------------------------------------------------------
IV. DETECTION
-----------------------------------------------------------------------------

We have confirmed that all versions of Miranda IM and Miranda Installer
are vulnerable.



-----------------------------------------------------------------------------
V. WORKAROUND
-----------------------------------------------------------------------------

There are no known workarounds for this vulnerability. Although these
files can be disassociated from Miranda Installer, it is still possible to
execute code by installing these files then opening Miranda IM.


-----------------------------------------------------------------------------
VI. PROOF of CONCEPT EXPLOIT
-----------------------------------------------------------------------------

http://www.spyinstructors.com/poc/mirandavuln.mir


This P.o.C Exploit opens a bind shell prompt on port 5252.



-----------------------------------------------------------------------------
Discovered and Coded By: ATmaCA and Kozan
atmaca@spyinstructors.com - kozan@spyinstructors.com
www.spyinstructors.com
-----------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close