Exploits News Archive

29th March 2004

mIRC DCC Bug - FALSE ALERT!

Following the recent scare over a potential mIRC 6.14 vulnerability, we are publishing the following advisory released by CERT-IRC regarding this issue.

CERT-IRC Advisory IRC-001/280304
mIRC script vchanger.mrc allows remote commands execution

Published: March 28, 2004
Version: 1.0

1. Affected system(s):

Any mIRC 6.x user who uses the vchanger.mrc script version 1.1.2e and earlier.

2. Description

The vchanger.mrc is a small script that allows a mIRC user to modify the mIRC version reply.

An attacker can execute remote commands (system commands included) through the mIRC client of a user of the vchanger script by sending a malicious CTCP/DCC command.

Sample attack :
Attacker: PRIVMSG Victim :
PING $findfile(C:\,*,1,/msg Attacker Got root!)
Victim : PRIVMSG Attacker :Got root!

3. Impact

Any IRC user can exploit this vulnerability to take control of a vulnerable mIRC user's computer through hidden shell commands.
All users of the vchanger.mrc script are recommended to upgrade the script to its latest version.

4. Workaround

Execute the following command to unload the script : /unload -rs path\to\vchanger.mrc
The script might be renamed or integrated into other scripts, so if you have no use of CTCP or DCC, execute the following command : "/ignore -wtd *!*@*.*
To disable all scripts you can also type : /remote off

5. Vendor status and information

vchanger.mrc - mircscripts.org
http://mircscripts.org/comments.php?id=1290
The author of the vchanger.mrc script has been notified and latest version 1.1.2f of the script is patched.
See http://mircscripts.org/comments.php?id=1290 for more information.

6. Disclaimer

CyberAbuse and the CERT-IRC group are not responsible for any misuse of the information provided in this security advisory.
Feel free to redistribute this advisory, provided that no changes are made to it.

March 24th 2004

Winzip Buffer Overflow

An issue recently discovered in the popular WinZip compression package may allow machines running vulnerable versions of this software to be compromised by specially-crafted files. Attempting to open such a file will cause a buffer overflow within WinZip which could be used by an attacker to gain control of the vulnerable machine. There is no simple way to determine whether a file is or is not harmful, therefore all users are recommended to upgrade the the latest version of WinZip, available for download from http://www.winzip.com. More details on this vulnerability can be found on http://www.winzip.com/fmwz90.htm

mIRC V6.0 - 6.11 Security Alert

An issue has been discovered with the above versions of mIRC which can lead to unexpected failure of the program. The flaw is triggered by a malformed DCC request and results in the mIRC client crashing whenever such a request is received. While annoying there appears to be no way to exploit this vulnerability to remotely compromise machines, as such the exploit should not be considered a serious risk in it's current form.An updated version of mIRC is now available from the mIRC homepage. which addresses this issue. As an exploit for this vulnerability is believed to be in active use on several IRC networks, users are advised to upgrade to the latest version of mIRC as soon as possible.

Security Alert : Is your Cable/DSL router insecure?

Following a posting to the Bugtraq mailing list we are yet again revisitng the subject of Cable & DSL security. It would appear that despite many similar incidents (see the routers page) yet another vendor doesn't realize the dangers of deploying devices on the public internet with very weak default passwords. If you are using a Zyxel P645ME ADSL router then you are possibly at risk of having your router accessed by unauthorised persons, personal information it contains stolen and possibly it's configuration being altered.

The full details are in the bugtraq posting but essentially the Zyxel P645ME router ships with a well known and very insecure default password on it's WAN-accessible admin interface. Using this default password unauthorised parties can access and change your router's configuration remotely. Other vendors have had similar issues with other brands of router and are as best we know still trying to clear up the mess, it's by no means an issue restricted to just one vendor or ISP.

If you have this equipment, we suggest you pester Zyxel and insist they help you secure the product, especially since we can't find any relevant documentation on the Zyxel website...

July 31st 2003

AnalogX Proxy 4.13 - Security Alert

Users of AnalogX Proxy ver. 4.13 on Windows platforms should upgrade immediately to version 4.14. A trivially exploitable buffer overflow exploit has been discovered in version 4.13 of this popular freeware package which allows exploiters to execute arbritary code on vulnerable machines. DALnet's exploits team recommends users of this software to upgrade immediately or take steps to disable the service until such times as an upgrade can be performed. For full details of the vulnerability please refer to http://www.securityfocus.com/bid/7681.

Fizzer Virus Alert

DALnet, in common with many other IRC networks is suffering badly from the effects of the Fizzer Virus. We are in the process o fimplementing technical measures to keep infected clients off of DALnet, however we urge all users to update their anti-virus package ASAP (or install one if you need to!) and ensure their systems are running the latest security patches for all software in use. This worm is a particular problem due to the multiple vecors of infection which are leading to a very rapid increase in the number of infected clients. If you are infected, there is a free removal utility available from F-secure.

May 14th 2003

Denial of Service Attacks.

While we are still suffering from the effects of the recent Denial of Service attacks we are pleased to say that some servers have successfully returned to the network. This does not mean the attacks have ceased, only that some servers are once again available for use on the DALnet network. For security reasons some of these servers do not currently have DNS entries, also the main irc.dal.net DNS entry is likely to remain disabled for the foreseeable future.

Disturbing information has reached us that the persons believed responsible for at least some of the attacks against DALnet have also been involved in a spate of attacks against other IRC networks and IRC related services. If you host an IRC server or related service and have either suffered a serious Denial of Service attack in the past two weeks or have discovered a significant botnet on your server we'd like to hear from you. We're also interested in hearing from any IRC server admin's who have been approached to provide hosting for botnets, possibly with an accompanying threat of DDoS attacks if you refuse. Any information received will be treated in confidence.

If you have any information which may be of use to us in tracing the perpetrators of these attacks, please use the contact form on http://kline.dal.net/exploits/info.htm

January 12th 2003

DDoS Attacks - Information for Users of DALnet.

DALnet is presently suffering extensive and prolongued Distributed Denial of Service attacks against our IRC servers, Web server, mail servers and DNS systems. These attacks are causing great inconvenience and financial loss to many of the organizations that host our services, as such some of them have suspended or discontinued their support of DALnet. DALnet would like to extend our thanks to all those who sponsored servers, we are grateful for the support you have provided us during what are difficult times. Users may also find it difficult to access our websites or send mail to @dal.net addresses due to attacks on the web, mail and DNS servers.

Some questions we are being asked regularly during these attacks should be answered by the FAQ below.

Q: Why are you not able to stop the attacks, it looks like you aren't in control of things!

That is because we are _not_ in control of things. A person or group of persons unknown are using Distributed Denial of Service techniques to litterally destroy our network. In doing so they are causing great inconvenience to our hosts as well as to us and our users. By the very nature of DDoS it's almost impossible to trace and impossible to defend against. There is, quite honestly, nothing we can do. If this person or group decide to destroy DALnet, they will do so and we cannot stop them.

Q: Why don't you do something about it?

We have done all that is possible. We have lodged complaints with those ISP's we can trace, most of which are ineffective. We have involved various law enforcement officials but legal investigations take time to conduct and don't provide any immediate solution to the problem. There is no more we can do, please remember we are a free service run by volunteers on donated equipment and bandwidth, we cannot simply throw more bandwidth at the problem and even if we could, the attacks are so massive it would make little if any difference.

Q: Why don't you call in the FBI?

DALnet and it's sponsors are working with various law enforcment agencies towards tracing and prosecuting the people behind these attacks. Legal investigations do however take time to complete and we are unable to comment any further on the status of those investigations.

Q: Why don't you talk to Steve Gibson of GRC.COM, he knows all about this stuff?

We already have many people working with us who are intimately familiar with DDoS attacks and how to deal with them.

Q: I can't connect to any servers, help!

There's no help we can offer. If you can't connect to a server, neither can we. The best we can suggest is to try another server although we appreciate it is difficult to find any servers currently accepting clients.

Q: When will the attacks stop?

We don't know. They will stop when either the attackers decide to stop attacking, the attackers get arrested or shut down by their ISP's or when DALnet runs out of good will from it's sponsors and is forced to close.

Q: I have information about the attacks, how can I get it to you?

If you have any information which may be of use to us in tracing the perpetrators of these attacks, please use the contact form on http://kline.dal.net/exploits/info.htm

December 22nd 2002

Windows XP Users - Critical Security Update

Buffer Overflow in all mIRC versions prior to 6.0