mIRC 6.14 Exploit: How true is this?

ed · Posted: Mar 24, 2004 4:41pm Post subject:

Watch this thread. So far, it seems to be completely unconfirmed.

ex0 · Guest

it isnt even april 1st yet.

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 696

I have it on good faith that the exploit is real. It has been tested and repeated. I believe those who knew about the exploit didn't want to publicize it until there was a fix. I spoke to Asmo about this earlier today, and he said he would not post a story until it was out in the open. But as we all know, IRC and secrets don't go well together. I wasn't too surprised to see his article this afternoon.

/ignore -wd * or set your DCC preferences to Ignore All.

Update your client as soon as Khaled announces a fix.

codemastr · Idler Joined: 05 Feb 2004 Posts: 345

You might have it in good faith that it is real, but it has now been confirmed to be wrong. The person who originally reported it has supplied further information which proves that it is NOT a problem with mIRC. You will notice that sites originally saying it was "confirmed" have now retracted that claim. http://kline.dal.net/exploits/

I find it quite scary though how one claim quickly turned into such a huge thing. Not only was the exploit known, people were reporting that it was already in widespread use, and people have developed exploits to allow true remote execution, etc. One claim, and next thing you know, everyone believes it.

However, I must also complain about the mIRC people. Though I stopped using mIRC after the last exploit was found, I must say I find their handling of this situation apalling. When these claims surfaced, and people turned to the mIRC team for answers, what did they get? Tjerk posting a poll titled, "What mIRC version do you want to go back to?" People are worried about a remotely exploitable problem, that if true, would have allowed anything from wiping the harddrive, copying all files, to using it as a drone, and their response is to make a joke? Tjerk later remarked that he had nothing to add and that it was time for him to go to sleep. Honestly, I really don't understand why no one has as of yet made even a single comment about the way the mIRC team handled this... Other than the forums, there isn't even a single mention of it on the website, and even on the forums, the mIRC team didn't even make one serious reply about it.

Asmo · none Joined: 06 May 2003 Posts: 28

I'm sorry that I cant give any insight information about the exploit, becuase at this point I strongly believe it will do more bad then good.

But however I still believe this exploit is a real one, it's been reproduced, and I've seen it working too. If this exploit is not mIRC specific, then the mIRC team should let their customers know about it, and what they can do to protect themself.

mIRC is the biggest IRC client without doubt, and a commercial one as well, so they better do what they have to. This is starting to look like the Trillian issue where exploit after exploit after exploit is being discovered.

I highly trust my sources. As Mary said, I did not wanted to publish about it as long as it was not widely known. Since then it has been popping up on websites and fora, as well as being globally noticed over major networks. Hence my post, as I believe I should give my readers the choice to protect themself.

If however this exploit turns out to be incorrect (or not mIRC specific) I will ofcourse post a new article on the website about it.

madCoder · Guest

Asmo · none Joined: 06 May 2003 Posts: 28

I'm indeed getting more and more signs that this is the case. I'm kind of waiting for a final confirmation that this IS a exploit in a third party script, instead of a exploit in mIRC itself before making a final announcement on the case.

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 696

Did you ever wake up in the morning and find out everything changed while you were asleep? ;)

This didn't start when the exploit was reported. It started when the exploit was USED the first time! If you think news travels fast between admins and IRC ops, well, just get a bug in your client, ircd or services and find out how fast news travels in the script kiddie community. There isn't a brick wall between IRC ops and the kids. Information flows rather freely back and forth.

This was an Extremely serious bug reported. Some of the more cl00ful people on IRC were asking me about this on Tuesday evening. Rumors were starting. Asmo didn't think it was public knowledge early the next day, but a few hours later he too found the story was spreading all over.

Its one thing to sit on a story while its being verified, its quite another to sit silently while people try to use this on each other. In that case, the responsible course of action is to do whatever you can to protect IRC users.

As for mIRC. Its easy to forget that mIRC is one of the few things related to IRC that makes money - and it makes a LOT of money. They aren't the first business that stuck their head in the sand on news that their product might cause damage.

Fortunately it looks like the exploit is less serious than originally thought. When the big bad wolf finally came out of the bushes it was a wee little baby wolf puppy. We can all breathe a sigh of relief and go back to watch the Congressional Hearings on 9/11, where there's some real professional finger pointing going on. ;)

codemastr · Idler Joined: 05 Feb 2004 Posts: 345

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 696

Sais · Guest

codemastr · Idler Joined: 05 Feb 2004 Posts: 345

al5001 · Lurker Joined: 17 Jul 2003 Posts: 181 Location: Canada

The DCC exploit was just about fixed in mIRC 6.12... The only bug in mIRC 6.12 is when you minimize a DCC transfer window when someone sends you a file with a name longer than 224 characters, it will freeze and crash mIRC. There is a very easy way to fix this -- just don't accept files from people you don't know -- regardless of exploits, this will also prevent you from getting viruses.

It is quite amazing the number of rumours that get spread. I believe the reason why the mIRC team hasn't responded is that they don't want to get everyone paranoid.

Have you seen what happened to MS Windows users? Most of them, being teenagers, heard some rumours about Windows being insecure, so they installed ZoneAlarm (which, when you search google, you'll find hundreds of exploits and backdoors for ZoneAlarm). Once they installed third party firewalls, they started having problems (not to mention, they had no problems before they installed the unstable, unreliable, exploitable third party software). MS Windows computers became instable when users ran third party software that had endless amounts of segmentation faults (which when you run MS software and no third party software, you won't have these problems).

These people switched to Linux, hearing many stories that it is a leet operating system because it comes with a free C/C++ compiler and a -f option on the ping command, not knowing how or why to custom configure/compile the kernel, nor how to set up iptables (nor ipfw on FreeBSD). They also didn't realise the consequences with using root account 24/7. If you take the IP address of the spambots that log onto your IRC network, check port 22 and port 23 with telnet, you'll find that these spambots have telnetd/sshd running, which clearly states they run on a Linux or UNIX box (or quite possibly at the very least, cygwin on Windows). Is Linux virus free? (Well first let's ask -- what is a virus? a piece of code surreptitiously introduced into a system in order to corrupt it or destroy data.) NO. You can easily run a bad piece of software on Linux as root that will erase your entire hard drive by executing "rm -rf /", or, in the case of a spambot, make it connect to a bunch of IRC servers and spam them with a Windows-executable virus. We commonly call these viruses.

Again, with Windows, you must treat administrator accounts as you would a root account.

codemastr · Idler Joined: 05 Feb 2004 Posts: 345