Pierluigi Paganini February 20, 2019

Security experts discovered a vulnerability in the mIRC application that allows attackers to execute commands remotely.

Security researchers Benjamin Chetioui and Baptiste Devigne from ProofOfCalc discovered a vulnerability in the mIRC application that could be exploited by attackers to execute commands remotely.

mIRC is a popular Internet Relay Chat application that allows users to chat by connecting to IRC servers, it also allows users to exchange files and links.

Installing the mIRC application will create three custom URI schemes, irc:, ircs:, and mircurl: that can be used as links to launch mIRC (i.e. url irc://irc.undernet.org/).

The flaw could be exploited by attackers to execute various commands, including download and install binaries on the vulnerable system.
The flaw allows attackers to inject commands into these custom URI schemes, it affects mIRC versions older than 7.55.

“Using the task manager and the registry, we figured out that when one calls a program through a link such as discord://randomcmd, “Discord.exe” –url — “%1” is executed, where %1 is replaced by randomcmd. What is interesting is that, in some browsers, the link is not URL-encoded in any way/just partially encoded when opened, which makes it possible to inject parameters in the command.” reads the blog post published by the experts.

On Windows OS, URI schemes are associated to specific applications that will be launched with command line arguments when the URL is clicked. According to the experts, it is possible to prevent command injection using a sigil (“–” ) for custom URI schemes.

The researchers discovered that mIRC does support sigils and allows command line injection.

“Because mIRC doesn’t use any kind of sigil such as -- to mark the end of the argument list, an attacker is able to pass arguments to mIRC through links opened by the program.” continues the analysis.

The experts set up a Samba server containing a custom MIRC.ini configuration file. This configuration file used in the PoC contains a command that executes another script, which then executes commands on the system.

This attack scheme allowed the researcher to execute commands under the context of the logged in user, it could be used to carry out several malicious activities such as download and execute malware.

In order to exploit the flaw, an attacker has to trick victims into clicking the following link or visiting a web page containing an iframe that opens the custom irc: URL:

Once the user visits the web site, the iframe will trigger the launch of the mIRC application using the remote configuration file, and execute the remote script’s commands.

Below the video PoC published by the experts:

The flaw was addressed with the release of mIRC 7.55 on February 8th, 2019, users have to update their installs as soon as possible

Pierluigi Paganini

(SecurityAffairs – IRC, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]