Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code ----------------------------------------------------------------------------- I. BACKGROUND ----------------------------------------------------------------------------- Miranda IM: ------------------- Miranda IM is a multi protocol instant messenger client.No bloat, it's Easy and Small! Miranda IM is designed to be resource efficient and easy to use. It uses very little memory and requires no installation. Just unzip and run! This also makes it ideal for users that want to run their messenger client from a removable storage such as an USB memory stick. It can even be stored on a floppy disc if not too many plugins are used. It's all about plugins!The powerful plugin system makes Miranda IM extremely flexible. Only the most basic features are built in, but there are currently more than 350 plugins available for download that allows users to extend the functionality in Miranda IM. Plugins can be installed to add support for ICQ, AIM, MSN, Jabber, Yahoo, Gadu-Gadu, Tlen, Netsend and other protocols. For more information, visit: http://www.miranda-im.org Miranda Installer: ------------------- Miranda Installer allows you to install Miranda nightlies and addons (Plugins, LangPacks, Icons, Skins etc.). MirInst is mostly useful for downloading a bunch of plugins and other addons, and installing them all at once using MirInst. For more information, visit: http://miranda-im.org/download/details.php?action=viewfile&id=528 ----------------------------------------------------------------------------- II. DESCRIPTION ----------------------------------------------------------------------------- Miranda Installer and Miranda IM does not properly validate user-supplied plug-ins, and installs/executes them directly. Miranda Installer associates these file extensions when "Register file extensions" options checked (this option is default). .mir .min .mii .mis .mil .mit .mio .mic .mit The file formats of Miranda Installers plug-ins has a basic structure. Just make a dll file, then make it a zip archive and rename the filename that will contain one of the above file extensions. When double-clicked this file, it'll be open with Miranda Installer. After it opens, click "Start" button to install this specially crafted plug-in. If Miranda IM is open during installation, it'll be closed and re-opened after installation finished by Miranda Installer. If Miranda IM is closed during installation, Miranda Installer directly installs the specified plug-in. Then the user has to open Miranda IM by hand. In both situations, when the Miranda IM opens, it will execute our plug-in automaticly instead of our specially crafted plug-in (zipped and then renamed dll file). ----------------------------------------------------------------------------- III. ANALYSIS ----------------------------------------------------------------------------- Exploitation allows for arbitrary code execution as the user who opened and installed the .mir .min .mii .mis .mil .mit .mio .mic .mit files. Exploitation requires an attacker to craft a malicious file with one of the above extensions and convince a user to open and install it. ----------------------------------------------------------------------------- IV. DETECTION ----------------------------------------------------------------------------- We have confirmed that all versions of Miranda IM and Miranda Installer are vulnerable. ----------------------------------------------------------------------------- V. WORKAROUND ----------------------------------------------------------------------------- There are no known workarounds for this vulnerability. Although these files can be disassociated from Miranda Installer, it is still possible to execute code by installing these files then opening Miranda IM. ----------------------------------------------------------------------------- VI. PROOF of CONCEPT EXPLOIT ----------------------------------------------------------------------------- http://www.spyinstructors.com/poc/mirandavuln.mir This P.o.C Exploit opens a bind shell prompt on port 5252. ----------------------------------------------------------------------------- Discovered and Coded By: ATmaCA and Kozan atmaca@spyinstructors.com - kozan@spyinstructors.com www.spyinstructors.com -----------------------------------------------------------------------------