Author: maroon
Added: 5y
Updated: Never
mIRC: v6.35 thru 7.54
Hits: 1,488
Downloads: 8
Review: acvxqs
Size: 5.43KB
1 0
Login to vote.
Warn if Exploitable Chat Links is Enabled
v1.0
CVE-2019-6453 describes an exploit of mIRC versions earlier than v7.55 if Tools/Options/IRC/Catcher/Chat Links "Enable Support" is checked.
If you are using an mIRC version older than v7.55, you should IMMEDIATELY
use the above option to DISABLE support for Chat Links then click OK.
It can also be exploited in browsers like Firefox or Edge if they have been configured to use a direct link to mirc.exe outside the normal irc:// registry entry
The purpose of 'chat links' is to create a webpage link which can be used to launch mirc.exe (or other irc client) with command line syntax which connects to an irc network then joins a specific channel. The danger involves the url being able to contain a command line switch which makes mirc.exe use a mirc.ini which could be located at a web url and which can load scripts also located at a web url. At that point, the scripts could execute many dangerous scripting commands on your computer.
When mIRC starts up, if "Chat Links" is enabled, it creates registry entries for the irc:// and ircs:// protocols pointing at itself. This means that editing the registry does not solve the problem, because the next time any mirc.exe starts up, it's possible for that mirc.exe to change the registry to point to itself, even if they already point at a 'safe' mirc version. If you use the described Tools/Options location to disable the option, mIRC immediately removes the registry entries it created.
Upgrading to v7.55 defends against the exploitable irc:// syntax. This script is only a supplemental defense against the exploit. It creates a timer to warn you if the "Chat Link" support is enabled in mirc-options. It does not write to the registry, nor does it change the options setting. I created a list of 11 related registry entries I found pointing at mirc.exe, and you can manually run the script to see if any of these 11 registry items contain a string created by mirc.exe.
This script is only used as a reminder in case you have temporarily enabled Chat Links for some unknown reason, or if the mirc.ini option has become enabled, such as can happen when a damaged mirc.ini is reset to defaults, or if you use an old backup of mirc.ini which had the setting enabled.
{ Quick and dirty alias to warn if your "enable chat links" option has become enabled by maroon. v1.0 Is intended only for clients not yet upgraded to 7.55+ DISABLE THE CHECKBOX - Chat links 'Enable Support' - IN TOOLS/OPTIONS/IRC/CATCHER !!! The 1st line of script's 1800 causes the check every 30 minutes. Feel free to change to a different interval You can edit the script to play a sound file as an alert Test the script by enabling the chat_links option in tools/options/irc/catcher THEN DISABLE THAT OPTION } ON *:START:{ chat_links_warning } ON *:CONNECT:{ chat_links_warning } alias chat_links_warning { !if (!$~timer(chat_links_warning)) !.timerchat_links_warning -oi 0 1800 chat_links_warning if ($~1 == regread) goto regread if (!$~gettok($~readini($~mircini,options,n4),33,44)) !return ; if you wish, you can change this alert to play any wav or mp3 you wish ; if the file is already in the $sound(*.wav) or $sound(*.mp3) folder, you can use /splay filename ; otherwise you need /splay path\filename ; it helps to test that you can hear this sound by briefly enabling chat-links THEN DISABLING IT !beep 5 1000 !var %win @chat_links_warning , %c $~chr(3) $~+ 8, $~+ 04 !window -ae2 %win !echo %win $~asctime %c This alert is warning that 'Chat Links' has been enabled in Tools/Options/IRC/Catcher! $~chr(9) if ($~version isnum 7.55-) { !echo %win This alert is intended for mIRC versions 7.54 or earlier. So assuming the later versions are safe, you can unload this alias $~chr(9) } !echo %win %c This chat-links option can be exploited in mIRC version 7.54 and earlier $~chr(9) if ($~version < 7.55) !echo %win %c so it should be disabled in the older versions! $~chr(9) !echo %win %c To lessen the danger in older versions until you can upgrade... $~chr(9) !echo %win %c Go into Tools/Options/IRC/Catcher and disable "enable support" under "Chat Links" then click "OK" $~chr(9) !echo %win %c Upgrading mIRC to 7.55+ enables a defense against the exploit $~chr(9) !echo %win %c But it is still possible for the exploit to trigger in older mIRC versions if a browser like Firefox or Edge !echo %win %c allows a direct link to mirc.exe outside the registry option. $~chr(9) !echo %win %c You should also ensure that browsers like Firefox have not enabled their own support to associate $~chr(9) !echo %win %c mirc.exe with irc:// or ircs:// links if clicked on in a webpage. $~chr(9) !echo %win %c ... to see only registry entries: /chat_links_warning regread !echo %win Each time mIRC starts up in non-portable mode, if that 'Chat Links' option is enabled , it changes !echo %win the registry to point irc:// and ircs:// link support at that copy of mirc.exe, even if !echo %win it's already enabled and pointing at a different mirc.exe in a different folder. !echo %win As soon as you uncheck the option and click OK, mIRC removes that registry item. !echo %win But it's still possible that if you have configured firefox to associate those links with !echo %win mirc.exe that the links could still trigger the exploit without "chat links" being enabled !echo %win because even if mIRC is installed as -noreg/-portable, the older versions can still be !echo %win exploited by a registry entry created by the browser. !echo %win This option can also become re-enabled if mirc.ini is damaged and is replaced by default settings !echo %win To be updated: determine how to change browser config if you've already checked the box !echo %win "dont ask about this again" preventing future prompts when encountering irc:// links :regread !var %win @chat_links_warning , %c $~chr(3) $~+ 8, $~+ 04 !window -ae2 %win !var %a1 HKEY_CLASSES_ROOT\irc\shell\open\command\ !var %a2 HKEY_CLASSES_ROOT\ircs\shell\open\command\ !var %a3 HKEY_CLASSES_ROOT\mIRCURL\shell\open\command\ !var %a4 HKEY_CURRENT_USER\Software\Classes\irc\shell\open\command\ !var %a5 HKEY_CURRENT_USER\Software\Classes\ircs\shell\open\command\ !var %a6 HKEY_CURRENT_USER\Software\Classes\mIRCURL\shell\open\command\ !var %a7 HKEY_CURRENT_USER\Software\Clients\IM\mIRC\Capabilities\shell\open\command\ !var %a8 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\shell\open\command\ !var %a9 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ircs\shell\open\command\ !var %a10 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mIRCURL\shell\open\command\ !var %a11 HKEY_LOCAL_MACHINE\SOFTWARE\Clients\IM\mIRC\Capabilities\shell\open\command\ !echo %win Note: these registry settings don't seem to always display changes made by a different mirc.exe !var %i 1 | !while (%i isnum 1-11) { !var %aa $~eval(% $~+ a $~+ %i,2) | !var %a $regread(%aa) !echo %win $~replace(%c,04,12) %aa -> %a $~chr(9) | !inc %i } } alias -l regread { if (*\ !iswm $~1) { echo -tgsc info2 *$regread(string\) must end with \ invalid reg read: $~1 | return } !var %rr regread $~+ $~ticks !if ($~com(%rr)) { !.comclose %rr } !.comopen %rr WScript.Shell !var %a = $~com(%rr,RegRead,3,bstr,$~1) !var -p %a = $~com(%rr).result !if ($~com(%rr)) { !.comclose %rr } !returnex %a }
0
If you need to run mirc < 7.55 for any reason please be aware that this script will help you remember that a very unsafe option is turned on by default and that you will need to manually turn it off.
Please note that due to the severity being high, a link to old version(s) of mirc at http://www.mirc.com/get.html has been removed.
Further reading: https://proofofcalc.com/cve-2019-6453-mIRC/