1999-08-17T00:00:00
ID PACKETSTORM:11802
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

#### Description

                                        
Date: Tue, 8 Jun 1999 22:49:35 -0400
From: Rich Lafferty &lt;rich@ALCOR.CONCORDIA.CA&gt;
To: BUGTRAQ@netspace.org

[This one stunned me. I triple-checked and tested more than I'd
usually test because I can't believe anyone would implement something
so ridiculous. Perhaps I'm just optimistic. Anyhow, moving on:]

\begin{vulnerability}

About a week ago, mIRC 5.6 was released. Amongst other new features,
it includes the following (from the changelog, versions.txt):

auto-opens websites as they are mentioned in a window.

With the cooperation of an mIRC user (thanks Lindy_!), I found that it
does exactly as it says -- when it's enabled, mIRC happily tells
Netscape (and presumably IE, if that's the Default Browser) to open
any URLs that it sees.

Now, I don't actively pay attention to the various Windows-browser
exploits that appear here, so I suspect the diligent bugtraq reader
will come up with ickier things to do with this than I, but just off

* linking to /dev/zero and letting the mIRC user's hard drive fill
* Banners, banners, banners.
* Trojan or virus-infected things, especially if the browser
autoexecutes them.
* http://some.host.name:19/
* flood an IRC channel with URLs, causing the browser to try to

Anyhow, wide open. Whatever you can put in a URL, mIRC will devotedly

\end{vulnerability}

\begin{soapbox}

It's basically reached the point now where any release of mIRC which
isn't a patchlevel increment contains a significant vulnerability,
which is then patched in a patchlevel-increment release between a week
and a month later. That is, 5.5's dcc-server bug brought a quick 5.51,
5.4's \$calc bug, 5.3 and hanson.c, and 5.2's "mIRC worm", which takes
us back to the beginning of the bugtraq archive on geek-girl.com.
Looking at versions.txt, it seems that nearly every mIRC release x.x
has been followed up by an x.x1 or x.x2 bugfix within a few weeks of
its release all the way back to 3.92. (Prior to 3.92, the release
schedule seemed to be characteristic of known-beta-quality software; I
recall 3.92 being basically when mIRC hit the "big time", too.)
Obviously, these non-bugfix releases are being consistently released
prematurely. Just take a look at the release dates at
http://www.mircscripts.com/old/ -- something is *certainly* awry.

mIRC is beta-tested by a small, closed group. It's also the most
popular IRC client in the world. History seems to indicate that
whatever testing takes place isn't anywhere near sufficient. Users
are conditioned to rush for the newest release as soon as it's
available. Perhaps the rush to get that release out is being
prioritized, intentionally or accidentally, over making sure that
the program is reasonably secure?

Certainly, no-one's reviewing code; it seems that they're not even
thinking through the implementations of newly-introduced
*concepts*. Perhaps it's time to revise the testing procedures --
drastically, even? -- to catch these problems before letting them
loose on the huge, dedicated userbase?

\end{soapbox}

-Rich

--
Rich Lafferty ---------------------------------------------------------
IITS/Computing Services | "How should I know if it works? That's what
Concordia University | beta testers are for. I only coded it" -LT
rich@alcor.concordia.ca ----------------------------------------[McQ]--

-------------------------------------------------------------------------

Date: Wed, 9 Jun 1999 09:26:42 +0200
From: Tjerk Vonck &lt;mirc@DDS.NL&gt;
To: BUGTRAQ@netspace.org

At 22:49 08-06-99 -0400, Rich Lafferty &lt;rich@alcor.concordia.ca&gt; wrote:
&gt;About a week ago, mIRC 5.6 was released. Amongst other new features,
&gt;it includes the following (from the changelog, versions.txt):
&gt;
&gt; auto-opens websites as they are mentioned in a window.

Wait a sec; There is no general option to enable tracking in all channels
and/or all query windows. You have to switch it on on a per user (nick) or
channel base. May we assume people will only do this on channels were they
feel home and/or with other user they know personally and trust?

There is no *big red button* to enable this minor gimmick.. It is an option
in the 'System Menu' (in the top left hand corner of a window) together
with other things like logging and timestamping.

&gt;With the cooperation of an mIRC user (thanks Lindy_!), I found that it
&gt;does exactly as it says ..

Yes, of course, otherwise it would be buggy. In all exploit examples you
thought of it is simply a matter of disabling the URL tracking you have set
active for the channel or query. End of problem.

Tjerk.

-------------
The new mIRC version 5.6 is available now! A new IRC Intro is
included, as well as a fresh list of IRC servers. Have fun with
this new mIRC! Read more about mIRC on one of the mIRC WWW pages:

http://www.mirc.co.uk United Kingdom &lt;- mIRC's Homesite
http://www.geocities.com/~mirc/ USA &lt;- mIRC's US mirror
http://www.nip.nl/mirc/ The Netherlands
http://www.mirc.queen.it/ Italy
http://mirc.kems.net/ Kuwait
http://www.mirc.com.ar/ Argentina
http://www.conesul.com.br/mirc/ Brazil
http://www.mirc.co.za/ South Africa
http://mirc.eon.net.au/ Australia

These pages give a lot of hints and help on mIRC and IRC. Make
sure to read the mIRC FAQ which is distributed separately from
mIRC. The FAQ answers a LOT of questions and includes a tutorial
on Aliases, Popups and on 'programming' mIRC's Tools/Remote
section...

Included in mIRC's distribution is an IRC Intro. Look in the
Help/Contents menu in mIRC for looots of help on IRC and
solutions to its most common quirks and problems. At
http://www.mirc.co.uk/servers.ini you can find the most recent
list of IRC servers.