98075 2003-04-08  18:08  /50 rader/ Knud Erik Højgaard <kain@ircop.dk>
Bilagans filnamn: "DSR-mirc-filenames.txt"
Importerad: 2003-04-08  18:08  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4412>
Bilaga (text/plain) till text 98074
Ärende: Bilaga (DSR-mirc-filenames.txt) till: mIRC "dcc filename spoofing"
------------------------------------------------------------
I. BACKGROUND

mIRC is "a friendly IRC client that is well equipped with options and 
tools"

More information about the application is available at 
http://www.mirc.com

II. DESCRIPTION

The DCC GET dialog has a limited area visible for the filename.  By
DCC sending a file with a specially crafted filename it's possible to
'spoof' a legitimate file.

III. ANALYSIS

Sending a file which name consists of for example 'me.mpg' + 'about
180  "alt-0160(fakespace)"' + '.exe' leads the recieving user into
believing  that the file is merely a harmless mpeg file, while it is
in fact an  executable. mIRC has a handy 'open' button upon
completion of the dcc,  so unless the user actually opens the
download folder and verifies the extension of the file, a compromise
is possible.

IIIa. MITIGATING FACTORS

If the remote user has DCC ignore enabled this will of course not
work.

IV. DETECTION

mirc 6.03 and below has been found vulnerable.

V. WORKAROUND

unknown

VI. VENDOR FIX

unknown

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

unknown

IX. CREDIT

Knud Erik Højgaard/kokanin[a]dtors.net
(98075) /Knud Erik Højgaard <kain@ircop.dk>/(Ombruten)