10/07/2003 TITLE ===== Mirc - Buffer overflow in "IRC" protocol. DESCRIPTION =========== "mIRC attempts to provide a user-friendly interface for use with the Internet Relay Chat network. The IRC network is a virtual meeting place where people from all over the world can meet and talk". More information at http://www.mirc.com PROBLEMS ======== Affected Version : Mirc 6.1 (latest) and probably older builds. Tested Platform : Windows 2000 A buffer overflow vulnerability has been discovered in Mirc allowing for attackers to execute any commands remotely against Mirc's users. DETAILS ======= When Mirc is installed, it registers its own handler for URL of the type "irc". Calling "irc://irc.hackme.com" from our web browser causes mirc.exe to be executed and ready to connect to irc.hackme.com server. By inputing an overly long string to the "irc" protocol, an attacker is able to overwrite the saved instruction pointer thus controls the program's execution. For instance: irc://[buffer]...... where's buffer >998 bytes An attacker would be able to gain access to the target system if he was able to trick the user to load his special crafted URL. Hence, he can have his code executed under the current user's privilege. VENDOR STATUS ============= Author has released a newer version (6.11) which fixes the issue, available at http://www.mirc.com/get.html. Phuong Nguyen __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com