[29696] in bugtraq
mIRC "dcc filename spoofing"
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Tue Apr 8 12:14:51 2003
Message-ID: <005701c2fd30$3b220ce0$24029dd9@tuborg>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
To: <bugtraq@securityfocus.com>
Date: Mon, 7 Apr 2003 20:05:10 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0054_01C2FD40.FE53BC30"
------=_NextPart_000_0054_01C2FD40.FE53BC30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Attached document explains all.
Rant: People using a product called 'antigen' should be shot, stabbed, and
shot again. Today, more than a month after posting DSR-toppler.pl and
sircd.sh, I _still_ get 5-8 emails a day saying that 'a virus have been
found and quarantined'. Oh please, get a grip. And please oh please stop
sending email from invalid addresses, I can't even mail you back and tell
you what I think of your AV solution.
--
Knud Erik Højgaard
------=_NextPart_000_0054_01C2FD40.FE53BC30
Content-Type: text/plain;
name="DSR-mirc-filenames.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="DSR-mirc-filenames.txt"
I. BACKGROUND
mIRC is "a friendly IRC client that is well equipped with options and=20
tools"
More information about the application is available at=20
http://www.mirc.com
II. DESCRIPTION
The DCC GET dialog has a limited area visible for the filename.
By DCC sending a file with a specially crafted filename it's possible to =
'spoof' a legitimate file.=20
III. ANALYSIS
Sending a file which name consists of for example 'me.mpg' + 'about 180=20
"alt-0160(fakespace)"' + '.exe' leads the recieving user into believing=20
that the file is merely a harmless mpeg file, while it is in fact an=20
executable. mIRC has a handy 'open' button upon completion of the dcc,=20
so unless the user actually opens the download folder and verifies the
extension of the file, a compromise is possible.
IIIa. MITIGATING FACTORS
If the remote user has DCC ignore enabled this will of course not work.
IV. DETECTION
mirc 6.03 and below has been found vulnerable.
V. WORKAROUND
unknown
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
unknown
IX. CREDIT
Knud Erik H=F8jgaard/kokanin[a]dtors.net
------=_NextPart_000_0054_01C2FD40.FE53BC30--
