Re: 0day: mIRC pwns Windows

[Greg Rubin <grrubin () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I am still unable to replicate.  It launches FireFox (2.0.0.7) for me
on my system and yeilds the error page "Firefox can't find the server
at %xx..."

If I replace the "%xx" with a null byte (inspired by the recent
protocol handler problems in FF), then it still doesn't work, as per
the mIRC string: http: $+ $chr(0) $+
../../../../../../../../../../../windows/system32/calc.exe"

So far, with various permutations of protocol handlers and odd
characters, I can't reproduce this.

Greg

3APA3A wrote:
> Dear Gavin Hanover,
>
> In  this  very  case  it's  really seems to be mIRC problem ("unfiltered
> shell  characters"). It doesn't depend on URL handler and will work with
> any valid URL handler. You can reproduce same vulnerability by entering
>
>  http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Exploitable under Windows XP, not exploitable under Vista.
>
> --Wednesday, October 3, 2007, 11:59:45 PM, you wrote to
jinc4fareijj () hotmail com:
> GH> is this a mirc bug or a mail client bug?
>
> > > mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".bat


- --
Greg Rubin
grrubin () gmail com
GPG: 0x79D0A517

(Interested in encrypting your email? Please ask me how.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFHBQ715KDU23nQpRcRAm4UAKCv4xq/V4pz+uAlPBmb06yEGN4MKQCg7lk1
9JOhTzWLeJs/N4OCjSRuNKk=
=//Ll
-----END PGP SIGNATURE-----