Scalar Security Research Labs =================================== Presents --------------------------[ Advisory 01-02 ]-------------------------- Advisory ID : 01-02 Synopsis : mIRC password protection can be bypassed Application : mIRC version 5.7; other versions may be affected Vendor : Not yet notified Web Contact : www.mirc.com Exploit : Execution of mIRC without knowledge of the password Author : scalar E-mail : scalar@shadowvx.com Homepage : chronix.shadowvx.com ---| Table of Contents ---| The Problem ---| Exploit Details ---| Patches/Workarounds ---| Disclaimer ---| Feedback ---| The Problem: IRC is a protocol designed to allow a means of communications across the Internet in real-time. This is a widely used channel, with connection establishment to IRC servers requiring software known as IRC clients. On the Windows operating system, one of the most widely used clients is: mIRC. This client is not totally secure, and has a somewhat significant vulnerability that allows a malicious user to bypass the mIRC password. Specifically, version 5.71 is analyzed within this advisory. In mIRC, there is an option to "Lock" mIRC. This option sets the requirement of a password to be entered before the program fully executes, and becomes functional. This options is located within the Options dialog window. Within the left hand panel, [+] General should be visible. The next step requires to click the [+] to drop-down the list of available options for the General subset. Now, the following should be clearly seen: [-]-General |-Server |-Lock Next step requires the "Lock" option to be chosen. This changes the right-hand side of the window, making available Lock options. On the upper right-hand side, is the button: Lock. Clicking this button opens a dialog box that requests a new password to lock mIRC. After entering the necessary data, "OK" should be clicked. This sets the password, and effectively locks the mIRC binary. Each proceeding execution of the program will require a password. This option seems to effectively secure the IRC client, however, I have found a way to easily subvert the password, and thus gain full control of mIRC without ever even entering a password. The password mIRC uses to "lock" mIRC is kept within the registry. To be exact, it is within the following key: HKEY_CURRENT_USER\Software\mIRC\LockOptions If no password is set, the value will be: 0,1. However, if a password is set, which is presumably the case, a similar value to the following will be the contained value: 3351915520,1. This value is actually for the password: abcdefg. As of yet, I do not kow the algorithm used to encrypt the password. An interesting detail about the value contained within the key is that no matter the length of the password, it is always stored as ten numeric characters, followed by ",1." Although, the value may not actually be the encrypted password, it is simply my assumption. As stated previously, when mIRC is set with no password, the value contained within the key is: 0,1. Thus, if there is a password, and it was to be set to: 0,1 , then it would consequently allow mIRC to execute without the requirement of a password. ---| Exploit Details: This easily accomplished vulnerability can be exploited by the following registry file, which should have the file extension: reg (i.e., mIRC_sploit.reg). Once the creation of the following exploit is created, the icon of the file should be double-clicked within Windows Explorer, and all subsequent messages should be agreed to. ---BEGIN CUT HERE------------------------------------------------------ REGEDIT4 [HKEY_CURRENT_USER\Software\mIRC\LockOptions] "(Default)"="0,1" ---END CUT HERE-------------------------------------------------------- However, a more clever attacker will: 1. Rename the original "(Default)" key. 2. Use mIRC_sploit.reg to create a new "(Default)" key. 3. Use mIRC without entering a password. 4. Finish using mIRC. 5. Delete the newest "(Default)" key. 6. Rename the old key's name back to "(Default)". This method keeps the password, whilst still allowing a malicious user access to the program. ---| Patches/Workarounds: No patches or workarounds are known at this time. ---| Disclaimer: The information contained in this advisory is the copyright of Scalar Security Research Labs. The data is believed to be accurate at the time of release, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the content is not modified in any way. ---| Feedback: Please send suggestions, updates, and comments to: Scalar Security Research Labs E-mail : scalar@shadowvx.com Homepage : chronix.shadowvx.com ______________________________________________________________________ Copyright 2001. Scalar Security Research Labs. All rights reserved.