Date: Tue, 8 Jun 1999 22:49:35 -0400 From: Rich Lafferty To: BUGTRAQ@netspace.org Subject: mIRC 5.6 automatic URL loading [This one stunned me. I triple-checked and tested more than I'd usually test because I can't believe anyone would implement something so ridiculous. Perhaps I'm just optimistic. Anyhow, moving on:] \begin{vulnerability} About a week ago, mIRC 5.6 was released. Amongst other new features, it includes the following (from the changelog, versions.txt): 40.Added "Track Urls" switch to System menu in Channel/Query windows, auto-opens websites as they are mentioned in a window. With the cooperation of an mIRC user (thanks Lindy_!), I found that it does exactly as it says -- when it's enabled, mIRC happily tells Netscape (and presumably IE, if that's the Default Browser) to open any URLs that it sees. Now, I don't actively pay attention to the various Windows-browser exploits that appear here, so I suspect the diligent bugtraq reader will come up with ickier things to do with this than I, but just off the top of my head: * linking to /dev/zero and letting the mIRC user's hard drive fill * Banners, banners, banners. * Trojan or virus-infected things, especially if the browser autoexecutes them. * http://some.host.name:19/ * flood an IRC channel with URLs, causing the browser to try to load them up sequentially Anyhow, wide open. Whatever you can put in a URL, mIRC will devotedly tell your default browser to load up. \end{vulnerability} \begin{soapbox} It's basically reached the point now where any release of mIRC which isn't a patchlevel increment contains a significant vulnerability, which is then patched in a patchlevel-increment release between a week and a month later. That is, 5.5's dcc-server bug brought a quick 5.51, 5.4's $calc bug, 5.3 and hanson.c, and 5.2's "mIRC worm", which takes us back to the beginning of the bugtraq archive on geek-girl.com. Looking at versions.txt, it seems that nearly every mIRC release x.x has been followed up by an x.x1 or x.x2 bugfix within a few weeks of its release all the way back to 3.92. (Prior to 3.92, the release schedule seemed to be characteristic of known-beta-quality software; I recall 3.92 being basically when mIRC hit the "big time", too.) Obviously, these non-bugfix releases are being consistently released prematurely. Just take a look at the release dates at http://www.mircscripts.com/old/ -- something is *certainly* awry. mIRC is beta-tested by a small, closed group. It's also the most popular IRC client in the world. History seems to indicate that whatever testing takes place isn't anywhere near sufficient. Users are conditioned to rush for the newest release as soon as it's available. Perhaps the rush to get that release out is being prioritized, intentionally or accidentally, over making sure that the program is reasonably secure? Certainly, no-one's reviewing code; it seems that they're not even thinking through the implementations of newly-introduced *concepts*. Perhaps it's time to revise the testing procedures -- drastically, even? -- to catch these problems before letting them loose on the huge, dedicated userbase? \end{soapbox} -Rich -- Rich Lafferty --------------------------------------------------------- IITS/Computing Services | "How should I know if it works? That's what Concordia University | beta testers are for. I only coded it" -LT rich@alcor.concordia.ca ----------------------------------------[McQ]-- ------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 09:26:42 +0200 From: Tjerk Vonck To: BUGTRAQ@netspace.org Subject: Re: mIRC 5.6 automatic URL loading At 22:49 08-06-99 -0400, Rich Lafferty wrote: >About a week ago, mIRC 5.6 was released. Amongst other new features, >it includes the following (from the changelog, versions.txt): > >40.Added "Track Urls" switch to System menu in Channel/Query windows, > auto-opens websites as they are mentioned in a window. Wait a sec; There is no general option to enable tracking in all channels and/or all query windows. You have to switch it on on a per user (nick) or channel base. May we assume people will only do this on channels were they feel home and/or with other user they know personally and trust? There is no *big red button* to enable this minor gimmick.. It is an option in the 'System Menu' (in the top left hand corner of a window) together with other things like logging and timestamping. >With the cooperation of an mIRC user (thanks Lindy_!), I found that it >does exactly as it says .. Yes, of course, otherwise it would be buggy. In all exploit examples you thought of it is simply a matter of disabling the URL tracking you have set active for the channel or query. End of problem. Tjerk. ------------- The new mIRC version 5.6 is available now! A new IRC Intro is included, as well as a fresh list of IRC servers. Have fun with this new mIRC! Read more about mIRC on one of the mIRC WWW pages: http://www.mirc.co.uk United Kingdom <- mIRC's Homesite http://www.geocities.com/~mirc/ USA <- mIRC's US mirror http://www.nip.nl/mirc/ The Netherlands http://www.mirc.queen.it/ Italy http://mirc.kems.net/ Kuwait http://www.mirc.com.ar/ Argentina http://www.conesul.com.br/mirc/ Brazil http://www.mirc.co.za/ South Africa http://mirc.eon.net.au/ Australia These pages give a lot of hints and help on mIRC and IRC. Make sure to read the mIRC FAQ which is distributed separately from mIRC. The FAQ answers a LOT of questions and includes a tutorial on Aliases, Popups and on 'programming' mIRC's Tools/Remote section... Included in mIRC's distribution is an IRC Intro. Look in the Help/Contents menu in mIRC for looots of help on IRC and solutions to its most common quirks and problems. At http://www.mirc.co.uk/servers.ini you can find the most recent list of IRC servers.