From fulldisclose@uuuppz.com Thu Aug 29 17:32:18 2002 From: James Martin To: full-disclosure@lists.netsys.com Date: Tue, 27 Aug 2002 15:16:51 +0100 Reply-To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] uuuppz.com - Advisory 002 - mIRC $asctime overflow [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 General Info - ------------ Researched by: James Martin Full advisory: http://www.uuuppz.com/research/adv-002-mirc.htm Exploit: Proof of concept code available at above URL. Product: mIRC Website: http://www.mirc.com Version: V6.00, V6.01, V6.02. Fix: Download mIRC 6.03 from http://www.mirc.com Please do not download from unofficial sites, as you may download a trojaned version. Type: Buffer Overrun Risk: Low to High Summary - ------- mIRC provides scripting capabilities to allow extension of the client. A flaw exists in the $asctime identifier, which is used to format Unix style time stamps. Passing a string of sufficient length to $asctime will cause a buffer overflow on the stack. This allows the execution of byte code through calling $asctime with a carefully constructed string. The default script included with mIRC does not call $asctime at any point. However the majority of major scripts available for download call $asctime to decode data provided by the irc server. Many scripts call $asctime on data provided from other remote sources. The exploitation of this flaw therefore depends on the script installed by the victim. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPWuC4/L9eRNyreu5EQJe3QCgongMQqFL2oZyX1NWicRxdmdXipIAoKb0 YJPJQ+TJoz9kjC2DKkg6m5OJ =0cKJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html