A vulnerability was discovered in the mIRC application that could allow attackers to execute commands, such as the downloading and installation of malware, on a vulnerable computer.
mIRC is a popular Internet Relay Chat, or IRC, application that allows users to connect to IRC servers in order to chat with other users. These chat servers are used to talk about a variety of topics and allow users to send images, links, and files to other users on the same server.
When mIRC is installed it will create three custom URI schemes called irc:, ircs: and mircurl: that can be used as links to launch mIRC and connect automatically to a particular server. For example, the url irc://irc.undernet.org/, when clicked on, would cause mIRC to automatically connect to the irc.undernet.org server.
A new vulnerability has been discovered by security researchers Benjamin Chetioui and Baptiste Devigne of ProofOfCalc that allows attackers to inject commands into these custom URI schemes when created by mIRC versions older than 7.55.
"mIRC has been shown to be vulnerable to argument injection through its associated URI protocol handlers that improperly escape their parameters," the researchers explain in their writeup. "Using available command-line parameters, an attacker is able to load a remote configuration file and to automatically run arbitrary code."
In Windows, URI schemes are mapped to a particular applications that will be launched with command line arguments when the URL is clicked. The researchers explain that in order to prevent command injection, a custom URI scheme in Windows should use a sigil, which prevents the parsing of other injected command line arguments.
In the researchers example, they illustrate that the "--" sigil in the URI scheme created by Discord prevents other command line arguments from being parsed.
Discord.exe" --url -- "%1"
mIRC, though, does not use a sigil and allows command line injection to occur, which allows a custom configuration file to be used when mIRC is launched. You can see the command that is executed in Windows when a irc: link is clicked in the image below.
To exploit this vulnerability, the researchers setup a SAMBA server that contained a custom MIRC.ini file, which is the configuration file for mIRC. This ini file contains a command that executes another script, which then executes commands on the computer.
These commands can do anything under the security context of the logged in user, such as downloading and installing malware, creating new users, or deleting files.
All an attacker has to do is send a link to a web page that contains an iframe that opens the custom irc: URL as shown below.
Once a user opens the web site, the iframe will trigger the custom URI, which will launch mIRC using the remote configuration file, and execute the remote script's commands.
The researchers illustrated this in a PoC illustrated below.
This vulnerability can be exploited simply by having a user open a web page, it can be distributed via phishing, forum posts, or through any other location that allows user submitted content.
This vulnerability was fixed in mIRC 7.55, which was released on February 8th, 2019. As the researchers have posted a proof-of-concept exploit and as the vulnerability is trivial to exploit, users running older versions of mIRC are strongly advised to upgrade to the latest 7.55 version.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now