mIRC DCC Get Folder Dialog Long String Overflow

2005-12-09T06:35:39
ID OSVDB:24116
Type osvdb
Reporter Jordi Corrales(jordi@shellsec.net)
Modified 2005-12-09T06:35:39

Description

Vulnerability Description

A local overflow exists in mIRC. The product fails to check bounds for elements of the locally opened "DCC Get Folder" dialog resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution with the current user privileges resulting in a loss of integrity.

Technical Description

The vendor notes: "As far as I can tell, this is neither an exploit nor a vulnerability. The above report describes a local bug in mIRC. The author of the report indicates that any malicious software on your computer can modify your mIRC settings to cause mIRC to crash. But if you have malicious software on your computer, you've already compromised your security..."

Solution Description

Upgrade to version 6.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A local overflow exists in mIRC. The product fails to check bounds for elements of the locally opened "DCC Get Folder" dialog resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution with the current user privileges resulting in a loss of integrity.

References:

Vendor URL: http://www.mirc.com/ Packet Storm: http://www.packetstormsecurity.org/0512-exploits/mIRCexploitXPSP2eng.c Other Advisory URL: http://www.shellsec.net/leer_advisory.php?id=9 Other Advisory URL: http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&an=0&page=0#146129 Mail List Post: http://seclists.org/lists/bugtraq/2005/Dec/0263.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0259.html Generic Exploit URL: http://www.securiteam.com/windowsntfocus/6E00O2AEUC.html CVE-2005-4681