All current versions of the KVIrc IRC client contain a remotely exploitable command execution vulnerability, including builds of KVIrc 4 from subversion up to revision 4692 as well as the older 3.x versions.
The bug, triggered by inserting carriage returns (r) into DCC GET commands, can be used to execute every command the IRCd understands in the context of the user running the vulnerable client instance.
To check if your version is exploitable you can either take a look at the “About KVIrc” tab under “Help” and check the revision or execute the following command on IRC:
To make matters worse, whole channels can be exploited at once if they don’t have a mode set that disallows CTCPing them.
A quick workaround is to execute the following command, effectively preventing those “failed” DCC handshakes to be notified and disabling the bug:
/option boolNotifyFailedDccHandshakes 0
To see if you’ve already been exploited you can take a look in your server window and search for lines that look similar to these:
[01:27:46] Processing DCC GET PRIVMSG #kvirc :I’m owned
request from ATTACKER [ATTACKER@HOSTNAME] (DCC GETrPRIVMSG40#kvirc40:I’m40ownedr)
[01:27:46] Unable to process the above request: Unknown DCC type ‘GET PRIVMSG #KVIRC :I’M OWNED ‘, Ignoring and notifying failure
Updated builds of KVIrc are available on their homepage – some distributions also already have updated builds in their repository. If you can’t update because your distribution is not among the one with updated builds, the workaround helps to not fall prey to any possible attackers.