Vulnerability Development mailing list archives

mirc32 6.0x crash when resolving dns.

From: "aT4r InsaN3" <at4r () hotmail com>
Date: Mon, 26 May 2003 23:22:37 +0200

While checking yesterday my snort database i found some attacks from thehost 210.193.16.22 so i began to resolve the dns from the hosts with mirc32and i executed the following commands in the status window:


/dns 210.193.16.22
/dns 210.193.16.23
/dns 210.193.16.24
* Looking up 210.193.16.22
* Looking up 210.193.16.23
* Looking up 210.193.16.24
* Unable to resolve 210.193.16.22
/dns 210.193.16.25
* Looking up 210.193.16.25
* Unable to resolve 210.193.16.23
(** MIRC CRASH**)

every time i tried to resolve a few ips mirc32 dies. the problem seems to bein the WSAAsyncGetHostByName() call.i have tested this feature in both mirc 6.01 and 6.03 in diferentcomputers. SO: winxpI cant give too many information about how to reproduce it, just try toresolve some dns like the example.there are some mirc scripts that resolve dns after some events like ctcps ,so maybe this bug can be used remotely as a Denial of Service.


Windbg:
0:004> g
ModLoad: 76ee0000 76f05000   C:\WINDOWS\System32\DNSAPI.dll
ModLoad: 76f70000 76f77000   C:\WINDOWS\System32\winrnr.dll
ModLoad: 76f20000 76f4d000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 76f80000 76f85000   C:\WINDOWS\System32\rasadhlp.dll
(794.788): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=00000000 ebx=005ea830 ecx=00000001 edx=71a42268 esi=005ea830edi=71a42268eip=71a38d72 esp=01a8ff34 ebp=01a8ff5c iopl=0 nv up ei pl nz na penccs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000efl=00010202*** ERROR: Symbol file could not be found. Defaulted to export symbols forC:\WINDOWS\System32\WS2_32.dll -

WS2_32!WSAAsyncGetHostByName+407:

71a38d72 8a10 mov dl,[eax]ds:0023:00000000=??


regards

Andres Tarascó Acuña
3W Design Security - 2003

_________________________________________________________________

MSN Compras: Veinte tiendas personales abiertas todo el día.http://www.msn.es/compras/

Current thread:

mirc32 6.0x crash when resolving dns. aT4r InsaN3 (May 27)
- Re: mirc32 6.0x crash when resolving dns. Davide Del Vecchio (May 27)
  - RE: mirc32 6.0x crash when resolving dns. Christopher Canova (May 28)
  - Re[2]: mirc32 6.0x crash when resolving dns. 3APA3A (May 28)
    - Re: mirc32 6.0x crash when resolving dns. Peter Pentchev (May 30)
    - Re[2]: mirc32 6.0x crash when resolving dns. 3APA3A (May 30)
- Re: mirc32 6.0x crash when resolving dns. Bram Matthys (Syzop) (May 27)
  - Re: mirc32 6.0x crash when resolving dns. at4r ins4n3 (May 28)
- Re: mirc32 6.0x crash when resolving dns. Roland Postle (May 28)