IRC-Junkie.org – IRC News

All about Internet Relay Chat

KVIrc Ubuntu Karmic build is broken

In the most recent newspost on the KVIrc website developer HelLViS69 writes that certain features of the IRC-client are broken on Ubuntu Karmic Koala.

He writes that “all popups are missing, and many actions on IRC return a parser error”. After installing the supposedly broken client we’ve indeed been able to confirm this as right-clicking on nicknames in the nicklist does not produce the expected popup but fails silently.

Doing the same in the channel window results in a more noisy error:

[KVS] Runtime Error: Popup channel is not defined
[KVS]   in script context “OnChannelNickPopupRequest::default”, line 1, near character 14
Event handler OnChannelNickPopupRequest::default is broken: disabling

which can also be seen in the following screenshot:

KVIrc error

KVIrc error

In order to avoid these problems HelLViS69 suggests to “use KVIrc’s staff packages, which can be found at ftp://ftp.kvirc.de/pub/kvirc/snapshots/ubuntu“.

Happy IRC’ing! ;)

KVIrc 3.4.2 URI handler in combination with IE exploitable [Updated]

Not even a month ago, it was KVIrc 3.4.0 in it’s Windows release which has been vulnerable to what has been at least a DoS/crash.

As of yesterday, there have been new exploits posted on the usual sites around the internet – but this time it is not the fault of KVIrc’s URI handler, because the bug is only exploitable if the malicious link is opened with Microsoft’s Internet Explorer and is possible because of its unique way to handle double quotes (“) in links.

This time it is not possible to just let the client of a victim crash but to execute a command of the attackers choice – opening a whole can of worms as one can execute each and any command with the privileges of the attacked user.

In an interview conducted on IRC with members of the KVIrc team they said that “the ‘vulnerability’ is present in any programs URI handling engine until they decide to work around IE’s oddities”, which, according to this posting on their mailinglist, involves using DDE to pass links back and forth between applications.

Since only a few members of the KVIrc team do have the possibility to compile the client for the Windows operating system it might take a little while until a fix pops up, but they assured IRC-Junkie that this issue is being worked on.

Update 11/22/2008, ~8 hours later: There is an updated package released for testing which contains “all the latest fixes for the bugs found in 3.4.2.”. Link to the download is in this mailinglist posting.

KVIrc 3.4.0 irc:// URI handler format string vulnerability – reloaded

No, not only mIRC has bugs ;)

For the second time, after a similar vulnerability in 2007, the irc:// URI-handler of KVIrc 3.4.0 is vulnerable to exploitation.

For successful exploitation of the security hole the user needs to be tricked to follow a maliciously crafted irc:// link – “Failed exploit attempts may cause denial-of-service conditions.” at least, or might even enable the attacker “to execute arbitrary code with the privileges of the user running the affected application.” - which we all know is Administrator for 95% of all Windows machines.

However, this post on the KVIrc mailing list claims the bug is invalid and KVIrc 3.4.x is not affected but after a short test i can at least confirm that there indeed is an issue that causes a DoS because KVIrc crashes after opening the malformed link.

The usual suggestion to upgrade to the latest version to be not prone to that vulnerability is superfluous at least for the Windows-version of KVIrc, as 3.4.0 is the latest “stable” release that can be obtained from the website.

Update 11/7/08: There is now an update to version 3.4.2 available for download.

KVIrc 3.4.0 Released

“After a long time with development snapshots only (due to lack of importance given to producing a release tagged as stable), KVIrc has just released version 3.4″, user Elephantman tipped IRC-Junkie.

“This one took a very long time but, well, finally it’s here” the KVIrc development team announced on their homepage.

Some of the changed highlighted on the announcement:

* improved themeing support

* better desktop integration

* nicer support for many different IRC servers

* a totally revised option layout

* basic support for script “addons”

* improved help subsystem

* new nice statusbar applets

* improved scripting engine

* improved windows and macosx support

“There is also a lot of small new details that you will find out by yourself while playing around and finally we obviously also have a huge number of bugfixes.”

This release also marks the final build using QT3. Next the team will focus on developing a release that is entirely built upon QT4. “This release actually contains a preliminary Qt4 support and if you feel brave you might test it by passing the “hidden” –enable-qt switch to configure”, the website explained.

KVIrc is released under the GNU license and can be downloaded as source, Windows, *Nix and MacOSX.