Security researchers Benjamin Chetioui and Baptiste Devigne from ProofOfCalc discovered a vulnerability in the mIRC application that could be exploited by attackers to execute commands remotely.
mIRC is a popular Internet Relay Chat application that allows users to chat by connecting to IRC servers, it also allows users to exchange files and links.
Installing the mIRC application will create three custom URI schemes, irc:, ircs:, and mircurl: that can be used as links to launch mIRC (i.e. url irc://irc.undernet.org/).
The flaw could be exploited by attackers to execute various commands, including download and install binaries on the vulnerable system.
The flaw allows attackers to inject commands into these custom URI schemes, it affects mIRC versions older than 7.55.
“Using the task manager and the registry, we figured out that when one calls a program through a link such as discord://randomcmd, “Discord.exe” –url — “%1” is executed, where %1 is replaced by randomcmd. What is interesting is that, in some browsers, the link is not URL-encoded in any way/just partially encoded when opened, which makes it possible to inject parameters in the command.” reads the blog post published by the experts.
On Windows OS, URI schemes are associated to specific applications that will be launched with command line arguments when the URL is clicked. According to the experts, it is possible to prevent command injection using a sigil (“–” ) for custom URI schemes.
The researchers discovered that mIRC does support sigils and allows command line injection.
“Because mIRC doesn’t use any kind of sigil such as --
to mark the end of the argument list, an attacker is able to pass arguments to mIRC through links opened by the program.” continues the analysis.
The experts set up a Samba server containing a custom MIRC.ini configuration file. This configuration file used in the PoC contains a command that executes another script, which then executes commands on the system.
This attack scheme allowed the researcher to execute commands under the context of the logged in user, it could be used to carry out several malicious activities such as download and execute malware.
In order to exploit the flaw, an attacker has to trick victims into clicking the following link or visiting a web page containing an iframe that opens the custom irc: URL:
Once the user visits the web site, the iframe will trigger the launch of the mIRC application using the remote configuration file, and execute the remote script’s commands.
Below the video PoC published by the experts:
The flaw was addressed with the release of mIRC 7.55 on February 8th, 2019, users have to update their installs as soon as possible
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – IRC, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.