A security vulnerability in mIRC, a popular IRC client for Windows, allows remote IRC server to cause the IRC client to execute arbitrary code by overflowing an internal buffer.
When requesting a user's host information, mIRC assumes that the host is less then 110 bytes. If the host string answered by the server is longer than 110 bytes, an overflow will occur in mIRC. The overflow allows overwriting of the EIP pointer.
The victim does not need to type the USERHOST request (/dns) by himself. Since the mIRC client, when connecting to a server, sends a USERHOST request to get its local host information.
<- :server.com 001 Victim :Welcome
-> :server.com USERHOST Victim
----- And then , the server's reply -----
<- :server.com 302 Victim:Victim=+~b@cnqXX-XXX.cablevision.qc.ca
Local host: cnqXX-XXX.cablevision.qc.ca (24.212.XX.XXX)
By sending a reply with more than 110 bytes, the overflow will occur: :server.com 302 Victim:Victim=+~b@
The attacker needs to do the following to successfully exploit the bug:
* Get the victim to connect on his IRC server (irc://)
* Get the victim's mIRC version by sending a CTCP version
Impact:
The vulnerability allows arbitrary code to be executed on the victim's machine (it requires the user to connect to a server). By using API address from mIRC.exe, you do not need to know the exact OS of the victim to successful exploit the overflow.
Exploit:
An exploit is available to download here. Supposed to work on all Windows version, mIRC 6.01 thru 6.1
The exploit will attempt to execute a command of your choice, by default "calc.exe" and then mIRC will crash.
Vendor response:
Vendor was notified as to the existence of this issue on September of 2002. He said that it should be fix in his next version of mIRC (currently mIRC 6.1)
