Security researchers Benjamin Chetioui and Baptiste Devigne from ProofOfCalc discovered a vulnerability in the mIRC application that could be exploited by attackers to execute commands remotely.
mIRC is a popular Internet Relay Chat application that allows users to chat by connecting to IRC servers, it also allows users to exchange files and links.
The flaw could be exploited by attackers to execute various commands, including download and install binaries on the vulnerable system.
The flaw allows attackers to inject commands into these custom URI schemes, it affects mIRC versions older than 7.55.
“Using the task manager and the registry, we figured out that when one calls a program through a link such as discord
On Windows OS, URI schemes are associated
The researchers discovered that mIRC does support sigils and allows command line injection.
-- to mark the end of the argument list, an attacker is able to pass arguments to
The experts set up a Samba server containing a custom MIRC.ini configuration file. This configuration file used in the PoC contains a command that executes another script, which then executes commands on the system.
This attack scheme allowed the researcher to execute commands under the context of the logged in user, it could be used to carry out several malicious activities such as download and execute malware.
In order to exploit the flaw, an attacker has to trick victims into clicking the following link or visiting a web page containing an iframe that opens the custom
Once the user visits the web site, the iframe will trigger the launch of the mIRC application using the remote configuration file, and execute the remote script’s commands.
Below the video PoC published by the experts:
The flaw was addressed with the release of mIRC 7.55 on February 8th, 2019, users have to update their installs as soon as possible
(SecurityAffairs – IRC, hacking)