KVIrc irc:// URI Handler Command Execution Vulnerability
27 Jun. 2007
Summary
KVIrc is "a free portable IRC client based on the excellent Qt GUI toolkit. KVIrc is being written by Szymon Stefanek and the KVIrc Development Team with the contribution of many IRC addicted developers around the world". Secunia Research has discovered a vulnerability in KVIrc, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the "parseIrcUrl()" function in src/kvirc/kernel/kvi_ircurl.cpp not properly sanitizing parts of the URI when building the command for KVIrc's internal script system. This can be exploited to inject and execute commands for the KVIrc script system (including the "run" command, which can be leveraged to execute shell commands) by e.g. tricking a user into opening a specially crafted "irc://" or similar URI (e.g. "irc6://").
Successful exploitation requires that KVIrc is the default handler for "irc://" and similar URIs.
