exploit the possibilities

mirandaIM.txt

mirandaIM.txt
Posted Apr 18, 2005
Authored by ATmaCA, Kozan | Site spyinstructors.com

The Miranda IM client lets local user execute arbitrary code due to not properly validating user supplied plugins.

tags | advisory, arbitrary, local
MD5 | c32502b023b4e84dfc667b9084f2d9d0

mirandaIM.txt

Change Mirror Download


Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code



-----------------------------------------------------------------------------
I. BACKGROUND
-----------------------------------------------------------------------------

Miranda IM:
-------------------

Miranda IM is a multi protocol instant messenger client.No bloat,
it's Easy and Small! Miranda IM is designed to be resource efficient
and easy to use. It uses very little memory and requires no installation.
Just unzip and run! This also makes it ideal for users that want to run
their messenger client from a removable storage such as an USB memory stick.
It can even be stored on a floppy disc if not too many plugins are used.
It's all about plugins!The powerful plugin system makes Miranda IM extremely
flexible. Only the most basic features are built in, but there are currently
more than 350 plugins available for download that allows users to extend the
functionality in Miranda IM. Plugins can be installed to add support for ICQ,
AIM, MSN, Jabber, Yahoo, Gadu-Gadu, Tlen, Netsend and other protocols.

For more information,
visit: http://www.miranda-im.org



Miranda Installer:
-------------------

Miranda Installer allows you to install Miranda nightlies and addons (Plugins,
LangPacks, Icons, Skins etc.). MirInst is mostly useful for downloading a bunch
of plugins and other addons, and installing them all at once using MirInst.

For more information,
visit: http://miranda-im.org/download/details.php?action=viewfile&id=528



-----------------------------------------------------------------------------
II. DESCRIPTION
-----------------------------------------------------------------------------

Miranda Installer and Miranda IM does not properly validate user-supplied plug-ins,
and installs/executes them directly.

Miranda Installer associates these file extensions when "Register file extensions"
options checked (this option is default).

.mir
.min
.mii
.mis
.mil
.mit
.mio
.mic
.mit


The file formats of Miranda Installers plug-ins has a basic structure.
Just make a dll file, then make it a zip archive and rename the filename
that will contain one of the above file extensions.

When double-clicked this file, it'll be open with Miranda Installer.
After it opens, click "Start" button to install this specially crafted
plug-in.

If Miranda IM is open during installation, it'll be closed and re-opened
after installation finished by Miranda Installer.

If Miranda IM is closed during installation, Miranda Installer directly
installs the specified plug-in. Then the user has to open Miranda IM
by hand.

In both situations, when the Miranda IM opens, it will execute our
plug-in automaticly instead of our specially crafted plug-in
(zipped and then renamed dll file).



-----------------------------------------------------------------------------
III. ANALYSIS
-----------------------------------------------------------------------------

Exploitation allows for arbitrary code execution as the user who opened
and installed the .mir .min .mii .mis .mil .mit .mio .mic .mit files.

Exploitation requires an attacker to craft a malicious file with one of
the above extensions and convince a user to open and install it.



-----------------------------------------------------------------------------
IV. DETECTION
-----------------------------------------------------------------------------

We have confirmed that all versions of Miranda IM and Miranda Installer
are vulnerable.



-----------------------------------------------------------------------------
V. WORKAROUND
-----------------------------------------------------------------------------

There are no known workarounds for this vulnerability. Although these
files can be disassociated from Miranda Installer, it is still possible to
execute code by installing these files then opening Miranda IM.


-----------------------------------------------------------------------------
VI. PROOF of CONCEPT EXPLOIT
-----------------------------------------------------------------------------

http://www.spyinstructors.com/poc/mirandavuln.mir


This P.o.C Exploit opens a bind shell prompt on port 5252.



-----------------------------------------------------------------------------
Discovered and Coded By: ATmaCA and Kozan
atmaca@spyinstructors.com - kozan@spyinstructors.com
www.spyinstructors.com
-----------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    14 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close