COMMAND
mIRC
SYSTEMS AFFECTED
mIRC 5.7, other versions may be affected
PROBLEM
'scalar' found following hole in mIRC (a popular IRC client for
the Windows platform) that allows a malicious user to subvert the
optional password on the mIRC.exe binary.
IRC is a protocol designed to allow a means of communications
across the Internet in real-time. This is a widely used channel,
with connection establishment to IRC servers requiring software
known as IRC clients. On the Windows operating system, one of the
most widely used clients is: mIRC. This client is not totally
secure, and has a somewhat significant vulnerability that allows
a malicious user to bypass the mIRC password. Specifically,
version 5.71 is analyzed within this advisory.
In mIRC, there is an option to "Lock" mIRC. This option sets the
requirement of a password to be entered before the program fully
executes, and becomes functional. This options is located within
the Options dialog window. Within the left hand panel, [+] General
should be visible. The next step requires to click the [+] to
drop-down the list of available options for the General subset.
Now, the following should be clearly seen:
[-]-General
|-Server
|-Lock
Next step requires the "Lock" option to be chosen. This changes
the right-hand side of the window, making available Lock options.
On the upper right-hand side, is the button: Lock. Clicking this
button opens a dialog box that requests a new password to lock
mIRC. After entering the necessary data, "OK" should be clicked.
This sets the password, and effectively locks the mIRC binary.
Each proceeding execution of the program will require a password.
This option seems to effectively secure the IRC client, however,
'scalar' found a way to easily subvert the password, and thus
gain full control of mIRC without ever even entering a password.
The password mIRC uses to "lock" mIRC is kept within the registry.
To be exact, it is within the following key:
HKEY_CURRENT_USER\Software\mIRC\LockOptions
If no password is set, the value will be: 0,1. However, if a
password is set, which is presumably the case, a similar value to
the following will be the contained value: 3351915520,1. This
value is actually for the password: abcdefg. As of yet, we do
not know the algorithm used to encrypt the password. An
interesting detail about the value contained within the key is
that no matter the length of the password, it is always stored as
ten numeric characters, followed by ",1." Although, the value may
not actually be the encrypted password, it is simply my
assumption.
As stated previously, when mIRC is set with no password, the
value contained within the key is: 0,1. Thus, if there is a
password, and it was to be set to: 0,1, then it would consequently
allow mIRC to execute without the requirement of a password.
This easily accomplished vulnerability can be exploited by the
following registry file, which should have the file extension: reg
(i.e., mIRC_sploit.reg). Once the creation of the following
exploit is created, the icon of the file should be double-clicked
within Windows Explorer, and all subsequent messages should be
agreed to.
REGEDIT4
[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
"(Default)"="0,1"
However, a more clever attacker will:
1. Rename the original "(Default)" key.
2. Use mIRC_sploit.reg to create a new "(Default)" key.
3. Use mIRC without entering a password.
4. Finish using mIRC.
5. Delete the newest "(Default)" key.
6. Rename the old key's name back to "(Default)".
This method keeps the password, whilst still allowing a malicious
user access to the program.
SOLUTION
No patches or workarounds are known at this time.