mIRC

A vulnerability was discovered in the mIRC application that could allow attackers to execute commands, such as the downloading and installation of malware, on a vulnerable computer.

mIRC is a popular Internet Relay Chat, or IRC, application that allows users to connect to IRC servers in order to chat with other users. These chat servers are used to talk about a variety of topics and allow users to send images, links, and files to other users on the same server.

When mIRC is installed it will create three custom URI schemes called irc:, ircs: and mircurl: that can be used as links to launch mIRC and connect automatically to a particular server. For example, the url irc://irc.undernet.org/, when clicked on, would cause mIRC to automatically connect to the irc.undernet.org server.

A new vulnerability has been discovered by security researchers Benjamin Chetioui and Baptiste Devigne of ProofOfCalc that allows attackers to inject commands into these custom URI schemes when created by mIRC versions older than 7.55. 

"mIRC has been shown to be vulnerable to argument injection through its associated URI protocol handlers that improperly escape their parameters," the researchers explain in their writeup. "Using available command-line parameters, an attacker is able to load a remote configuration file and to automatically run arbitrary code."

In Windows, URI schemes are mapped to a particular applications that will be launched with command line arguments when the URL is clicked. The researchers explain that in order to prevent command injection, a custom URI scheme in Windows should use a sigil, which prevents the parsing of other injected command line arguments.

In the researchers example, they illustrate that the "--" sigil in the URI scheme created by Discord prevents other command line arguments from being parsed.

Discord.exe" --url -- "%1"

mIRC, though, does not use a sigil and allows command line injection to occur, which allows a custom configuration file to be used when mIRC is launched. You can see the command that is executed in Windows when a irc: link is clicked in the image below.

IRC URI Scheme created by mIRC
IRC URI Scheme created by mIRC

To exploit this vulnerability, the researchers setup a SAMBA server that contained a custom MIRC.ini file, which is the configuration file for mIRC. This ini file contains a command that executes another script, which then executes commands on the computer.

These commands can do anything under the security context of the logged in user, such as downloading and installing malware, creating new users, or deleting files.

All an attacker has to do is send a link to a web page that contains an iframe that opens the custom irc: URL as shown below.

Malicious Web Site
Malicious Web Site

Once a user opens the web site, the iframe will trigger the custom URI, which will launch mIRC using the remote configuration file, and execute the remote script's commands.

Example script executed by remote mIRC Config
Example script executed by remote mIRC Config

The researchers illustrated this in a PoC illustrated below.

PoC Example
PoC Example

This vulnerability can be exploited simply by having a user open a web page, it can be distributed via phishing, forum posts, or through any other location that allows user submitted content.

This vulnerability was fixed in mIRC 7.55, which was released on February 8th, 2019.  As the researchers have posted a proof-of-concept exploit and as the vulnerability is trivial to exploit, users running older versions of mIRC are strongly advised to upgrade to the latest 7.55 version.

Related Articles:

New regreSSHion OpenSSH RCE bug gives root on Linux servers

CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites

VMware fixes critical vCenter RCE vulnerability, patch now

Widely used modems in industrial IoT devices open to SMS attack

TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers