A flaw in an internet relay chat client that could enable hackers to run code to download further malware, has been discovered by security researchers.
According to a blog post, the flaw exists in mIRC, an application used to connect IRC servers to enable users to chat with one another.
Benjamin Chetioui and Baptiste Devigne from ProofOfCalc found the flaw. When installing the mIRC app, three custom URI schemes, irc:, ircs:, and mircurl: are created that can be used as links to launch mIRC (i.e. url irc://irc.undernet.org/).
The vulnerability could be used by hackers to inject commands into these custom URI schemes, it affects mIRC versions older than 7.55.
"Using the task manager and the registry, we figured out that when one calls a program through a link such as discord://randomcmd, "Discord.exe" –url — "%1" is executed, where %1 is replaced by randomcmd. What is interesting is that, in some browsers, the link is not URL-encoded in any way/just partially encoded when opened, which makes it possible to inject parameters in the command," said researchers.
Researchers added in an advisory that "mIRC has been shown to be vulnerable to argument injection through its associated URI protocol handlers that improperly escape their parameters. Using available command-line parameters, an attacker is able to load a remote
configuration file and to automatically run arbitrary code."
In Windows, URI schemes are linked to specific applications that will be launched with command line arguments when the URL is clicked. Researchers said that command injection can be prevents using a sigil ("–" ) for custom URI schemes. But, because mIRC doesn't use any kind of sigil such as - to mark the end of the argument list, "an attacker is able to pass arguments to mIRC through links opened by the program".
As a proof of concept, researchers ran a Samba server containing a custom MIRC.ini configuration file. Mirc.ini is a custom configuration file that should be located at C:\mirc-poc\mirc.ini on the file server. Calc.ini is a remote script file that should be located at C:\mirc-poc\calc.ini on the file server.
For the exploit to work, a hacker sends a victim a link to a web page that has an iframe that opens the custom irc: URL. Once opened, the iframe will launch the mIRC application using the remote configuration file and execute the remote script’s commands.
The flaw has been fixed the release of mIRC 7.55 in February.
"If you're using Internet Relay Chat - like vinyl, it's still a thing! - and your client of choice is the venerable mIRC software, make sure you've updated to version 7.55," Paul Ducklin, senior technologist at Sophos, told SC Media UK.
"A pair of security researchers found a remote code execution hole about a month ago. The mIRC team patched the bug pretty quickly, getting an update out on 08 February 2019, so the researchers have now published a working exploit. That means it's easy for wannabe cybercrooks to 'have a go' at anyone who isn't patched. Simply put: patch early, patch often."
Adam Greenwood-Byrne, CEO of RealVNC, told SC Media UK that this incident serves as a reminder of the importance of security – especially with remote communication and access tools.
"With attackers being able to execute commands remotely, the consequences of similar attacks can be much more serious if security is not made a priority, especially if you’re using similar tools in areas like critical national infrastructure," he said.