[KVIrc] milw0rm: command line parsing vulnerability

Алексей Ужва alexey at uzhva.ru
Sat Nov 22 06:45:43 CET 2008


We can fix it, if we will use DDE as link handler (as mirc). It should work,
i guess. As soon as DDE doesn't invoke command-line parser, it will be
secure enough. But it requires win32 coding.

2008/11/22 TheXception <kvirc at thexception.net>

> I just made same test and I can say:
>
> - Opera 9.60 detects illegal url and blocks it (Bug does not work)
>
> - Firefox 2.x replaces critical chars with % and its asciicode (Bug
> does not work)
>
> - Internet Explorer 7/8 simply adds it to commandline without checking
> and replacing anything. (Exploit works)
>
> So this is a bug of Internet Explorer and not KVIrc. It can not be
> fixed or secured by KVIrc since it is a bug in the the way IE
> handles this urls. Independent of the handlers type. In all cases it
> allows modifying the command line.
>
> TheXception
>
> On Fri, 21 Nov 2008 18:43:12 +0100
> TheXception <kvirc at thexception.net> wrote:
>
> > The problem at this is that the browser adds clear and unescaped "
> > into a command line parameter. The registry handler adds " around the
> > parameter.
> >
> > Now the browser adds " into the parameter which results in
> > kvirc.exe "irc://" -e "run calc.exe" ""
> >
> > if the browser makes it right it should be:
> > kvirc.exe "irc://\" -e \"run calc.exe\" \""
> >
> > At http://www.milw0rm.com/exploits/7181 it's said it's a not fixed
> > secunia bug (http://secunia.com/advisories/25740 ) but this is a
> > different and a fixed bug.
> >
> > This bug will occur on every event handler not only at kvirc ones it
> > has to be fixed at the browser. Allowing unescaped " in parameters
> > can't be influenced by kvirc and is done by browser.
> >
> > theoretically example:
> >
> > <a href='irc://" & calc.exe "'>link</a> will have the same effect
> > without kvs. even if the handler and executable is not kvirc it'll
> > work too.
> >
> > TheXception
> >
> >  On Fri, 21 Nov 2008 17:57:37 +0100 cimnine
> > <cimnine at gmail.com> wrote:
> >
> > > Just for info: http://www.milw0rm.com/exploits/7181
> > >
> > > ~cimnine
> > > _______________________________________________
> > > KVIrc mailing list
> > > KVIrc at lists.omnikron.net
> > > http://lists.omnikron.net/mailman/listinfo/kvirc
> > _______________________________________________
> > KVIrc mailing list
> > KVIrc at lists.omnikron.net
> > http://lists.omnikron.net/mailman/listinfo/kvirc
> _______________________________________________
> KVIrc mailing list
> KVIrc at lists.omnikron.net
> http://lists.omnikron.net/mailman/listinfo/kvirc
>



-- 
Alexey Y Uzhva

Everything will be all right in the end.
If it's not all right, it's not the end.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.omnikron.net/pipermail/kvirc/attachments/20081122/6fd1e7ed/attachment.html>


More information about the KVIrc mailing list