www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Monthly Archives: October 2008

KVIrc 3.4.0 irc:// URI handler format string vulnerability – reloaded

No, not only mIRC has bugs ;)

For the second time, after a similar vulnerability in 2007, the irc:// URI-handler of KVIrc 3.4.0 is vulnerable to exploitation.

For successful exploitation of the security hole the user needs to be tricked to follow a maliciously crafted irc:// link – “Failed exploit attempts may cause denial-of-service conditions.” at least, or might even enable the attacker “to execute arbitrary code with the privileges of the user running the affected application.” - which we all know is Administrator for 95% of all Windows machines.

However, this post on the KVIrc mailing list claims the bug is invalid and KVIrc 3.4.x is not affected but after a short test i can at least confirm that there indeed is an issue that causes a DoS because KVIrc crashes after opening the malformed link.

The usual suggestion to upgrade to the latest version to be not prone to that vulnerability is superfluous at least for the Windows-version of KVIrc, as 3.4.0 is the latest “stable” release that can be obtained from the website.

Update 11/7/08: There is now an update to version 3.4.2 available for download.

mIRC 6.35 gets released, fixes security flaw

Little over one month after the last release of the popular IRC-client, a new version becomes public.

According to the website the update is due to a security flaw concerning “very long nicknames on non-standard servers” and it is therefore a recommended upgrade for everyone.

Also, it seems the exploit code for the mentioned vulnerability is already in the wild so it’s advised to update in a timely manner or deploy the following workaround if an upgrade is not possible:

on ^*:OPEN:?:*:if ($len($nick) > 298) halt

The above snippet should be added to ones mIRC’s remotes and shall then prevent the hole from being exploited.

Thanks to slakker for the tip & links!

Anope releases RC1 of new 1.8 stable branch

On Sunday, 26th October the Anope project announces the release of release candidate 1 of their new stable branch, version 1.8 of their widely used IRC services package.

The announcement on their website also mentions that “Apart from updates to language files there are no changes since the last development release (1.7.24).”

However, all users of the last stable release, 1.6.5, should prepare to test the new version since they plan to stop supporting it when 1.8 becomes final.

A detailed changelog can be found here.

Thanks to Chaz & Viper for the tip!

Site Changes, again

Yes, it’s that time of the year again :)

After quite some time of thinking what to do with the “old” websites code that i would have to customize to get some of the functionality i’d want to have, i took the plunge and moved everything to WordPress.

After quite a few tiresome days of importing posts and comments manually, installing things and cursing like a seaman i’m finally done :)

Please, let me know what you think about it – suggestions and everything are more than welcome.

Oh, and after i get some rest (and a few drinks at some bar i suppose) i’ll update the page with a few articles that have piled up in the meanwhile :)