Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert released a PoC for a remote code execution flaw in mIRC App

Security experts discovered a vulnerability in the mIRC application that allows attackers to execute commands remotely. Security researchers Benjamin Chetioui and Baptiste Devigne from ProofOfCalc discovered a vulnerability in the mIRC application that could be exploited by attackers to execute commands remotely. mIRC is a popular Internet Relay Chat application that allows users to chat […]

mirc rce-poc 2

Security experts discovered a vulnerability in the mIRC application that allows attackers to execute commands remotely.

Security researchers Benjamin Chetioui and Baptiste Devigne from ProofOfCalc discovered a vulnerability in the mIRC application that could be exploited by attackers to execute commands remotely.

mIRC is a popular Internet Relay Chat application that allows users to chat by connecting to IRC servers, it also allows users to exchange files and links.

Installing the mIRC application will create three custom URI schemes, irc:, ircs:, and mircurl: that can be used as links to launch mIRC (i.e. url irc://irc.undernet.org/).

The flaw could be exploited by attackers to execute various commands, including download and install binaries on the vulnerable system.
The flaw allows attackers to inject commands into these custom URI schemes, it affects mIRC versions older than 7.55.

“Using the task manager and the registry, we figured out that when one calls a program through a link such as discord://randomcmd, “Discord.exe” –url — “%1” is executed, where %1 is replaced by randomcmd. What is interesting is that, in some browsers, the link is not URL-encoded in any way/just partially encoded when opened, which makes it possible to inject parameters in the command.” reads the blog post published by the experts.

On Windows OS, URI schemes are associated to specific applications that will be launched with command line arguments when the URL is clicked. According to the experts, it is possible to prevent command injection using a sigil (“–” ) for custom URI schemes.

The researchers discovered that mIRC does support sigils and allows command line injection.

“Because mIRC doesn’t use any kind of sigil such as -- to mark the end of the argument list, an attacker is able to pass arguments to mIRC through links opened by the program.” continues the analysis.

The experts set up a Samba server containing a custom MIRC.ini configuration file. This configuration file used in the PoC contains a command that executes another script, which then executes commands on the system.

This attack scheme allowed the researcher to execute commands under the context of the logged in user, it could be used to carry out several malicious activities such as download and execute malware.

In order to exploit the flaw, an attacker has to trick victims into clicking the following link or visiting a web page containing an iframe that opens the custom irc: URL:

mirc rce-poc 2

Once the user visits the web site, the iframe will trigger the launch of the mIRC application using the remote configuration file, and execute the remote script’s commands.

Below the video PoC published by the experts:

mirc rce-poc 2

The flaw was addressed with the release of mIRC 7.55 on February 8th, 2019, users have to update their installs as soon as possible

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IRC, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]