mIRC 6.03 and below allows an attacker to misleading supply a URL that poses as one URL but leads to another by setting the color of the secondary URL to the default background color.
fd32c6ce59bd218876dfd24ee5d0db85I. BACKGROUND
mIRC is "a friendly IRC client that is well equipped with options and
tools"
More information about the application is available at
http://www.mirc.com
II. DESCRIPTION
The 'URL handler' allows a user to double-click an url posted in a channel
or in a query. This will afterwards be opened in the default browser.
The 'URL handler' fails to filter/ignore colour codes in links, making
'url spoofing' possible.
III. ANALYSIS
Messaging users stuff like "Oh my god Saddam just blew up Israel look
for yourself on www.cnn.com0@www.paysite.com/ref.php?refid=spam-user"
will lead the target to beleive he's entering cnn.com, while he is in
fact accessing www.paysite.com and giving clicks/cash/whatever to the
'attacker'. Note that the 0 is the colour white, which is the default
background colour in mIRC.
IV. DETECTION
mIRC 6.03 and below (those versions who incorporate colour codes/url
handling) are found to be vulnerable.
V. WORKAROUND
unknown
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
unknown
IX. CREDIT
Knud Erik Højgaard/kokaninATdtors.net
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!