14 DAY TRIAL // A remotely exploitable buffer overflow vulnerability that can allow remote code execution has been identified in the latest version of mIRC (6.34). The vulnerability is not patched yet and users are advised to be cautious when connecting to IRC servers or opening irc:// links.
Secunia released a security advisory regarding this vulnerability as a response to a proof of concept (PoC) exploit being posted on the popular exploit tracking website Milw0rm. The vulnerability consists of a boundary error in the processing of PRIVMSG IRC messages. An attacker could exploit this by tricking users, that have mIRC installed on their system into connecting to a maliciously crafted IRC server.
Upon installation, mIRC registers itself as handler for the irc:// protocol links. This means that if someone clicks on a irc://server:port type link on a website or inside an e-mail client, mIRC will be launched and it will attempt to connect to the specified server. By setting up a small server which sends a malicious PRIVMSG message to the client, an attacker could obtain the privileges needed to remotely execute arbitrary code on the computer.
The Secunia advisory credits the author of the PoC exploit, securfrog (securfrog[at]gmail{dot}com), with the discovery of this vulnerability and notes that no security update or patch that fixes this issue has been released by the vendor yet. Therefore, for the time being, mIRC users are advised to connect only to servers that they trust and not to click on unknown irc:// links. "I'll continue to try to reproduce this issue and if verified I should have an update out shortly," wrote Khaled Mardam-Bey, mIRC's creator and developer.
mIRC is probably the most popular IRC client, at least on the Windows platform, IRC (Internet Relay Chat) being a real-time Internet chat protocol which dates back to 1988. For a long period, it was one of the best real-time chat protocols around and its use to report the Soviet coup attempt of 1991 or its use by US soldiers to communicate with their families during the Gulf War made it very popular in the '90s.
Since 2000 IRC's popularity slowly started to decrease in favor of other online chat alternatives like the instant messaging systems (MSN Messenger, Yahoo! Messenger, etc.) or the social networking websites, which are more feature reach. However, the IRC networks are still currently used by thousands of people, for example for real-time technical support on various topics, the Freenode IRC network housing support channels for many popular open source projects and Linux distributions. Gamers also use IRC to keep in touch, the QuakeNet or GameSurge networks being good examples in this respect.
From the IT security perspective, IRC servers are well known for their use as botnet control servers by attackers to command computer drones that result from malware infections. This is also one of the reasons why this mIRC vulnerability could prove very dangerous even if the Secunia advisory only rates it, from a technical perspective, as moderately critical. There are still a lot of mIRC-based drones out there, like the gtbot class, or any type of drones for that matter, that are constantly used to launch DDoS attacks. This vulnerability could further increase their numbers, especially if it's combined with other attack techniques and exploits, the DNS cache poisoning coming to mind.