Snippets
  • Uploaded By: maroon
  • Added: 2 years ago
  • Updated: Never
  • mIRC Version: v6.35 thru 7.54
  • Hits: 895
  • Size: 5.16KB
  • Downloads: 2
  • Review By: acvxqs

Warn if Exploitable Chat Links is Enabled v1.0

CVE-2019-6453 describes an exploit of mIRC versions earlier than v7.55 if Tools/Options/IRC/Catcher/Chat Links "Enable Support" is checked.

If you are using an mIRC version older than v7.55, you should IMMEDIATELY
use the above option to DISABLE support for Chat Links then click OK.

It can also be exploited in browsers like Firefox or Edge if they have been configured to use a direct link to mirc.exe outside the normal irc:// registry entry

The purpose of 'chat links' is to create a webpage link which can be used to launch mirc.exe (or other irc client) with command line syntax which connects to an irc network then joins a specific channel. The danger involves the url being able to contain a command line switch which makes mirc.exe use a mirc.ini which could be located at a web url and which can load scripts also located at a web url. At that point, the scripts could execute many dangerous scripting commands on your computer.

When mIRC starts up, if "Chat Links" is enabled, it creates registry entries for the irc:// and ircs:// protocols pointing at itself. This means that editing the registry does not solve the problem, because the next time any mirc.exe starts up, it's possible for that mirc.exe to change the registry to point to itself, even if they already point at a 'safe' mirc version. If you use the described Tools/Options location to disable the option, mIRC immediately removes the registry entries it created.

Upgrading to v7.55 defends against the exploitable irc:// syntax. This script is only a supplemental defense against the exploit. It creates a timer to warn you if the "Chat Link" support is enabled in mirc-options. It does not write to the registry, nor does it change the options setting. I created a list of 11 related registry entries I found pointing at mirc.exe, and you can manually run the script to see if any of these 11 registry items contain a string created by mirc.exe.

This script is only used as a reminder in case you have temporarily enabled Chat Links for some unknown reason, or if the mirc.ini option has become enabled, such as can happen when a damaged mirc.ini is reset to defaults, or if you use an old backup of mirc.ini which had the setting enabled.
Screenshot...

  
  0    0  Login to Vote.


Source Code:
  1. {
  2. Quick and dirty alias to warn if your "enable chat links" option has become enabled
  3. by maroon. v1.0 Is intended only for clients not yet upgraded to 7.55+
  4.  
  5. DISABLE THE CHECKBOX - Chat links 'Enable Support' - IN TOOLS/OPTIONS/IRC/CATCHER !!!
  6.  
  7. The 1st line of script's 1800 causes the check every 30 minutes. Feel free to change to a different interval
  8.  
  9. You can edit the script to play a sound file as an alert
  10. Test the script by enabling the chat_links option in tools/options/irc/catcher
  11. THEN DISABLE THAT OPTION
  12.  
  13. }
  14.  
  15. ON *:START:{ chat_links_warning }
  16. ON *:CONNECT:{ chat_links_warning }
  17.  
  18. alias chat_links_warning {
  19. !if (!$~timer(chat_links_warning)) !.timerchat_links_warning -oi 0 1800 chat_links_warning
  20. if ($~1 == regread) goto regread
  21. if (!$~gettok($~readini($~mircini,options,n4),33,44)) !return
  22.  
  23. ; if you wish, you can change this alert to play any wav or mp3 you wish
  24. ; if the file is already in the $sound(*.wav) or $sound(*.mp3) folder, you can use /splay filename
  25. ; otherwise you need /splay path\filename
  26. ; it helps to test that you can hear this sound by briefly enabling chat-links THEN DISABLING IT
  27. !beep 5 1000
  28.  
  29. !var %win @chat_links_warning , %c $~chr(3) $~+ 8, $~+ 04
  30. !window -ae2 %win
  31. !echo %win $~asctime %c This alert is warning that 'Chat Links' has been enabled in Tools/Options/IRC/Catcher! $~chr(9)
  32. if ($~version isnum 7.55-) {
  33. !echo %win This alert is intended for mIRC versions 7.54 or earlier. So assuming the later versions are safe, you can unload this alias $~chr(9)
  34. }
  35. !echo %win %c This chat-links option can be exploited in mIRC version 7.54 and earlier $~chr(9)
  36. if ($~version < 7.55) !echo %win %c so it should be disabled in the older versions! $~chr(9)
  37. !echo %win %c To lessen the danger in older versions until you can upgrade... $~chr(9)
  38. !echo %win %c Go into Tools/Options/IRC/Catcher and disable "enable support" under "Chat Links" then click "OK" $~chr(9)
  39. !echo %win %c Upgrading mIRC to 7.55+ enables a defense against the exploit $~chr(9)
  40. !echo %win %c But it is still possible for the exploit to trigger in older mIRC versions if a browser like Firefox or Edge
  41. !echo %win %c allows a direct link to mirc.exe outside the registry option. $~chr(9)
  42. !echo %win %c You should also ensure that browsers like Firefox have not enabled their own support to associate $~chr(9)
  43. !echo %win %c mirc.exe with irc:// or ircs:// links if clicked on in a webpage. $~chr(9)
  44. !echo %win %c ... to see only registry entries: /chat_links_warning regread
  45. !echo %win Each time mIRC starts up in non-portable mode, if that 'Chat Links' option is enabled , it changes
  46. !echo %win the registry to point irc:// and ircs:// link support at that copy of mirc.exe, even if
  47. !echo %win it's already enabled and pointing at a different mirc.exe in a different folder.
  48. !echo %win As soon as you uncheck the option and click OK, mIRC removes that registry item.
  49. !echo %win But it's still possible that if you have configured firefox to associate those links with
  50. !echo %win mirc.exe that the links could still trigger the exploit without "chat links" being enabled
  51. !echo %win because even if mIRC is installed as -noreg/-portable, the older versions can still be
  52. !echo %win exploited by a registry entry created by the browser.
  53. !echo %win This option can also become re-enabled if mirc.ini is damaged and is replaced by default settings
  54. !echo %win To be updated: determine how to change browser config if you've already checked the box
  55. !echo %win "dont ask about this again" preventing future prompts when encountering irc:// links
  56. :regread
  57. !var %win @chat_links_warning , %c $~chr(3) $~+ 8, $~+ 04
  58. !window -ae2 %win
  59. !var %a1 HKEY_CLASSES_ROOT\irc\shell\open\command\
  60. !var %a2 HKEY_CLASSES_ROOT\ircs\shell\open\command\
  61. !var %a3 HKEY_CLASSES_ROOT\mIRCURL\shell\open\command\
  62. !var %a4 HKEY_CURRENT_USER\Software\Classes\irc\shell\open\command\
  63. !var %a5 HKEY_CURRENT_USER\Software\Classes\ircs\shell\open\command\
  64. !var %a6 HKEY_CURRENT_USER\Software\Classes\mIRCURL\shell\open\command\
  65. !var %a7 HKEY_CURRENT_USER\Software\Clients\IM\mIRC\Capabilities\shell\open\command\
  66. !var %a8 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\shell\open\command\
  67. !var %a9 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ircs\shell\open\command\
  68. !var %a10 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mIRCURL\shell\open\command\
  69. !var %a11 HKEY_LOCAL_MACHINE\SOFTWARE\Clients\IM\mIRC\Capabilities\shell\open\command\
  70. !echo %win Note: these registry settings don't seem to always display changes made by a different mirc.exe
  71. !var %i 1 | !while (%i isnum 1-11) {
  72. !var %aa $~eval(% $~+ a $~+ %i,2) | !var %a $regread(%aa)
  73. !echo %win $~replace(%c,04,12) %aa -> %a $~chr(9) | !inc %i
  74. }
  75. }
  76.  
  77. alias -l regread {
  78. if (*\ !iswm $~1) { echo -tgsc info2 *$regread(string\) must end with \ invalid reg read: $~1 | return }
  79. !var %rr regread $~+ $~ticks
  80. !if ($~com(%rr)) { !.comclose %rr }
  81. !.comopen %rr WScript.Shell
  82. !var %a = $~com(%rr,RegRead,3,bstr,$~1)
  83. !var -p %a = $~com(%rr).result
  84. !if ($~com(%rr)) { !.comclose %rr }
  85. !returnex %a
  86. }
  87.  


Comments
No Comments.

Login to Comment.