mIRC’s security flaw allows cybercriminals to conduct remote attacks

mIRC’s security flaw allows cybercriminals to conduct remote attacks

  • The Internet Relay Chat (IRC) application for Windows was found to have a vulnerability in its custom Uniform Resource Identifier(URI) schemes.
  • mIRC versions older than 7.55 are affected by this remote code execution flaw.

mIRC, a well-known IRC chat application for Windows was discovered to have a serious security vulnerability that allows attackers to remotely execute arbitrary code.

Security researchers Baptiste Devigne and Benjamin Chetioui identified this flaw when they were analyzing certain applications based on the Electron framework. Custom URIs used in these applications were found to lead to multiple vulnerabilities.

Custom URIs leading to security flaws

According to the researchers, older versions of the application, prior to the latest 7.55, had three URI schemes 'irc:', 'ircs:', and 'mircurl:' that led to the flaw. These schemes were not sanitized properly, allowing other parameters to take over the schemes.

The researchers explained their analysis stating, “...we decided to make a list of all the custom URI schemes available in our registries, filtering the properly sanitized ones, and we stumbled upon the mIRC schemes (irc:, ircs: and mircurl:), that were associated with the following command: 'C:\Program Files (x86)\mIRC\mirc.exe' %1. Because mIRC doesn't use any kind of sigil such as -- to mark the end of the argument list, an attacker is able to pass arguments to mIRC through links opened by the program.”

In order to exploit this flaw, Devigne & Chetioui use a Samba server having a custom configuration file. This file initiates another file called ‘calc.ini’ containing the remote script. Upon invoking ‘calc.ini’, malicious payloads get downloaded and infects the host system.

Thus, attackers can rely on methods such as phishing or even online forum posts to distribute malicious remote attack scripts to infect computer systems. mIRC users are therefore advised to update to the latest 7.55 version to steer away from this vulnerability.