[KVIrc] milw0rm: command line parsing vulnerability
kvirc at thexception.net
Fri Nov 21 23:15:58 CET 2008
I just made same test and I can say:
- Opera 9.60 detects illegal url and blocks it (Bug does not work)
- Firefox 2.x replaces critical chars with % and its asciicode (Bug
does not work)
- Internet Explorer 7/8 simply adds it to commandline without checking
and replacing anything. (Exploit works)
So this is a bug of Internet Explorer and not KVIrc. It can not be
fixed or secured by KVIrc since it is a bug in the the way IE
handles this urls. Independent of the handlers type. In all cases it
allows modifying the command line.
On Fri, 21 Nov 2008 18:43:12 +0100
TheXception <kvirc at thexception.net> wrote:
> The problem at this is that the browser adds clear and unescaped "
> into a command line parameter. The registry handler adds " around the
> Now the browser adds " into the parameter which results in
> kvirc.exe "irc://" -e "run calc.exe" ""
> if the browser makes it right it should be:
> kvirc.exe "irc://\" -e \"run calc.exe\" \""
> At http://www.milw0rm.com/exploits/7181 it's said it's a not fixed
> secunia bug (http://secunia.com/advisories/25740 ) but this is a
> different and a fixed bug.
> This bug will occur on every event handler not only at kvirc ones it
> has to be fixed at the browser. Allowing unescaped " in parameters
> can't be influenced by kvirc and is done by browser.
> theoretically example:
> <a href='irc://" & calc.exe "'>link</a> will have the same effect
> without kvs. even if the handler and executable is not kvirc it'll
> work too.
> On Fri, 21 Nov 2008 17:57:37 +0100 cimnine
> <cimnine at gmail.com> wrote:
> > Just for info: http://www.milw0rm.com/exploits/7181
> > ~cimnine
> > _______________________________________________
> > KVIrc mailing list
> > KVIrc at lists.omnikron.net
> > http://lists.omnikron.net/mailman/listinfo/kvirc
> KVIrc mailing list
> KVIrc at lists.omnikron.net
More information about the KVIrc