| Latest revision |
Your text |
| Line 1: |
Line 1: |
| | {{mirc title|mSL Injection}} | | {{mirc title|mSL Injection}} |
| − | '''mSL injection''' (mIRC Scripting Language injection) is a code injection technique that exploits mIRC's ability to dynamically evaluate code on the run. With mSLs powerful commands and identifiers, the result of a code injection attack can be disastrous. It is important that you understand what to look for when working with vulnerable commands. | + | '''mSL injection''' is a code injection technique that exploits mIRC's ability to dynamically evaluate code on the run. With mSLs powerful commands and identifiers, the result of a code injection attack can be disastrous. It is important that you understand what to look for when working with vulnerable commands. |
| | | | |
| | This tutorial will try to summarize for you what commands are problematic, how to detect it, and how to fix it. | | This tutorial will try to summarize for you what commands are problematic, how to detect it, and how to fix it. |
| Line 62: |
Line 62: |
| | Indeed, /timer evaluated the parameter once: $2 is evaluated to 18000 and $3- to "jill's birthday tomorrow!" | | Indeed, /timer evaluated the parameter once: $2 is evaluated to 18000 and $3- to "jill's birthday tomorrow!" |
| | | | |
| − | The associated command of the timer is correctly <code>notice Mike [Reminder] jill's birthday tomorrow! (Set 18000 seconds ago)</code>, when the timer fires, the /notice command will see its parameters evaluated once, but there is nothing to evaluate in this case. | + | The associated command of the timer is correctly "notice Mike [Reminder] jill's birthday tomorrow! (Set 18000 seconds ago)", when the timer fires, the /notice command will see its parameters evaluated once, but there is nothing to evaluate in this case. |
| | | | |
| | Although this script might seem simple, let's take a look at what happens when someone provides incorrect or even malicious input as in this case: | | Although this script might seem simple, let's take a look at what happens when someone provides incorrect or even malicious input as in this case: |
| Line 72: |
Line 72: |
| | This is an msl injection attack. Let's take a deeper look into what has happened: | | This is an msl injection attack. Let's take a deeper look into what has happened: |
| | | | |
| − | As we know, /timer evaluated the parameter once; $2 is evaluated to <code>0</code> and $3- is evaluated to <code>. | ns drop nick | quit hacked!</code> | + | As we know, /timer evaluated the parameter once; $2 is evaluated to 0 and $3- is evaluated to ". | ns drop nick | quit hacked!" |
| | | | |
| − | So now, the associated command of the timer becomes <code>.notice Mike [Reminder] . | ns drop nick | quit hacked!</code> and you might be recognizing the pipe character, used to separate commands, which mIRC will interpret as such, resulting in /ns drop nick and /quit hacked! being executed. | + | So now, the associated command of the timer becomes "notice Mike [Reminder] . | ns drop nick | quit hacked!" and you might be recognizing the pipe character, used to seperate commands, which mIRC will interpret as such, resulting in /ns drop nick and /quit hacked! being executed. |
| | | | |
| | Clearly, you can see how the timer command can be extremely dangerous. The unfortunate part is that there is no clean way of solving this problem. The only way to prevent this from happening is to encode the problematic parameters so that when they get evaluated, they produce something which needs one more evaluation to produce the correct value. We usually do that by encoding the parameters using based64 encoding. Below is an alias to perform this: | | Clearly, you can see how the timer command can be extremely dangerous. The unfortunate part is that there is no clean way of solving this problem. The only way to prevent this from happening is to encode the problematic parameters so that when they get evaluated, they produce something which needs one more evaluation to produce the correct value. We usually do that by encoding the parameters using based64 encoding. Below is an alias to perform this: |
| Line 97: |
Line 97: |
| | And Mike now can't do anything harmful. | | And Mike now can't do anything harmful. |
| | | | |
| − | /timer will evaluate the parameter as we know but this time, $safe($3-) where $3- is <code>. | ns drop nick | quit hacked!</code> is evaluated to <code>{{mIRC|$decode}}( LiB8IG5zIGRyb3AgbmljayB8IHF1aXQgaGFja2VkIQ== ,m)</code> and $safe($2) to <code>{{mIRC|$decode}}( MTgwMDA= ,m)</code>. | + | /timer will evaluate the parameter as we know but this time, $safe($3-) where $3- is ". | ns drop nick | quit hacked!" is evaluated to "{{mIRC|$decode}}( LiB8IG5zIGRyb3AgbmljayB8IHF1aXQgaGFja2VkIQ== ,m)" and $safe($2) to "{{mIRC|$decode}}( MTgwMDA= ,m)". |
| | | | |
| − | The command associated with the timer now becomes <code>{{mIRC|/notice}} Mike [Reminder] {{mIRC|$decode}}( LiB8IG5zIGRyb3AgbmljayB8IHF1aXQgaGFja2VkIQ== ,m) (Set {{mIRC|$decode}}( MTgwMDA= ,m) seconds ago)</code> and those {{mIRC|$decode}}, when evaluated once by {{mIRC|/notice}}, will produce the correct result (the original input of Mike). | + | The command associated with the timer nows becomes "{{mIRC|/notice}} Mike [Reminder] {{mIRC|$decode}}( LiB8IG5zIGRyb3AgbmljayB8IHF1aXQgaGFja2VkIQ== ,m) (Set {{mIRC|$decode}}( MTgwMDA= ,m) seconds ago)" and those {{mIRC|$decode}}, when evaluated once by {{mIRC|/notice}}, will produce the correct result (the original input of Mike). |
| | | | |
| | Now you don't need to do that for any {{mIRC|/timer}} command of course, only when the parameter is unknown at the time you are writing the script, such as $2 and $3- here. | | Now you don't need to do that for any {{mIRC|/timer}} command of course, only when the parameter is unknown at the time you are writing the script, such as $2 and $3- here. |
| Line 166: |
Line 166: |
| | <syntaxhighlight lang="mirc">on *:text:!global *:#:{ | | <syntaxhighlight lang="mirc">on *:text:!global *:#:{ |
| | var %a $1- | | var %a $1- |
| − | scon -at1 amsg [AMSG] % $+ a | + | scon -at1 amsg [AMSG] % $+ %a |
| | }</syntaxhighlight> | | }</syntaxhighlight> |
| | | | |
| − | The associated command becomes <code>amsg [AMSG] %a</code> and %a is evaluated correctly to produce the user's message. | + | The associated command becomes "amsg [AMSG] %a" and %a is evaluated correctly to produce the user's message. |
| | | | |
| | '''Note''': /scid and /scon can be used to change the current connection only, in this case you can just execute the command normally after, does not work for /scon -a for example. | | '''Note''': /scid and /scon can be used to change the current connection only, in this case you can just execute the command normally after, does not work for /scon -a for example. |
| Line 181: |
Line 181: |
| | Though /flash is the only command doing it for now, more command might do this in the future. {{mIRC|/flash}} does not take a new command as one of its parameter but it can take a text as an optional parameter, to be used automatically later, that text will be evaluated once by {{mIRC|/flash}}, and mIRC will also evaluate the text parameter once when applying the flash: | | Though /flash is the only command doing it for now, more command might do this in the future. {{mIRC|/flash}} does not take a new command as one of its parameter but it can take a text as an optional parameter, to be used automatically later, that text will be evaluated once by {{mIRC|/flash}}, and mIRC will also evaluate the text parameter once when applying the flash: |
| | | | |
| − | <syntaxhighlight lang="mirc">on *:text:!testflash:#:/flash $ $+ me</syntaxhighlight> | + | <syntaxhighlight lang="mirc">on *:text:!testflash:#:/flash $ $+ $me</syntaxhighlight> |
| | | | |
| | So $ $+ me evaluates to "{{mIRC|$me}}" by {{mIRC|/flash}}, and $me will be evaluated to your nickname (that text appears in mIRC's titlebar). | | So $ $+ me evaluates to "{{mIRC|$me}}" by {{mIRC|/flash}}, and $me will be evaluated to your nickname (that text appears in mIRC's titlebar). |
| Line 241: |
Line 241: |
| | msg $chan [[ $+ $nick $+ ] $v1 | | msg $chan [[ $+ $nick $+ ] $v1 |
| | } | | } |
| − | }</syntaxhighlight>
| |
| − |
| |
| − | == $submenu ==
| |
| − |
| |
| − | The value returned by the alias called by $submenu is evaluated a second time, again, $safe and similar methods are your friend:
| |
| − |
| |
| − | <syntaxhighlight lang="mirc">menu menubar {
| |
| − | double evaluation
| |
| − | .$submenu($testsm($1))
| |
| − | }
| |
| − | alias testsm {
| |
| − | if ($1 == 1) return item : echo -ag > $!!me
| |
| | }</syntaxhighlight> | | }</syntaxhighlight> |
| | | | |
| | == $calc() == | | == $calc() == |
| − | ALL unknown (in advance) input to {{mIRC|$calc}} should be validated. $calc has its own special evaluation routine, it possesses the ability to double evaluate variables and identifier if their value returns a %variable. Consider the following code: | + | ALL input to {{mIRC|$calc}} should be validated. Since $calc has its own special evaluation routine, it possesses the ability to evaluate variables from within text. Consider the following code: |
| | | | |
| | <syntaxhighlight lang="mirc">//var %x = 12345 | tokenize 32 % $+ x | echo -a $1 = $calc($1)</syntaxhighlight> | | <syntaxhighlight lang="mirc">//var %x = 12345 | tokenize 32 % $+ x | echo -a $1 = $calc($1)</syntaxhighlight> |
| Line 291: |
Line 279: |
| | | | |
| | It's important to note that EVEN if %password was set to "1234rosebud". The $calc() will return "1234", which is not the whole password but it's a big chunk of it. | | It's important to note that EVEN if %password was set to "1234rosebud". The $calc() will return "1234", which is not the whole password but it's a big chunk of it. |
| − |
| |
| − | A simple way to prevent this from happening with such a script is to restrict the usage to input which do not contain identifiers and %variables:
| |
| − |
| |
| − | <syntaxhighlight lang="mirc">
| |
| − | on *:text:!calc *:#:{
| |
| − | if (!$regex($2-,/\$\S+|%\S+/)) {
| |
| − | msg $nick [Calc] $2- = $calc($2-)
| |
| − | }
| |
| − | }</syntaxhighlight>
| |
| − |
| |
| − | == $decode ==
| |
| − |
| |
| − | This is not really an exploit, but is a way for someone to disguise their malicious command. It can't be executed except by someone taking advantage of the $iif() bug below, or else as part of a script. When a /command is typed in a channel editbox, it will not let anything be executed if it's a command which begins with a % or a $, but that behavior does not extend to remote scripts.
| |
| − |
| |
| − | <syntaxhighlight lang="mirc">
| |
| − | //var %cmd echo | [ %cmd ] 4 -a hello world
| |
| − | </syntaxhighlight>
| |
| − |
| |
| − | Pasting the above command into an editbox echoes 'hello world' to the active window in red text. However it won't work if the square braces are removed, because the command beginning with % halts the editbox command, but doesn't halt the same thing in a remote script.
| |
| − |
| |
| − | Something similar can be done with $decode, but it only works if $decode(string) is placed somewhere which allows its contents to be evaluated/executed, which includes the $iif bug, placing into a timer's command line, inside square braces, etc. Below shows how the decode string is created, but the echo command is NOT executed by $decode, but by the fact that the decoded string is placed into the timer's command string. If the "timer 1 1" had not been there, this would have executed the echo command if it were inside a remote script, but would not have executed in the editbox simply because the editbox doesn't execute commands beginning with % or $.
| |
| − |
| |
| − | <syntaxhighlight lang="mirc">
| |
| − | //var -s %a $remove($encode(echo 4 -a hello world,m),=) | timer 1 1 $decode(ZWNobyA0IC1hIGhlbGxvIHdvcmxk,m)
| |
| − | </syntaxhighlight>
| |
| − |
| |
| − | == $findfile $finddir $hfind $dllcall etc ==
| |
| − |
| |
| − | This category relates to identifiers who have a 'command parm' or a 'callback alias' where a malicious command could be placed. It's harder for $hfind and $dllcall to be exploited, because they require knowing the name of an existing hashtable or the pathname to a dll file. However, there's always at least 1 filename in the $mircdir folder, so the following /noop command can be used to execute the encoded echo command contained in $findfile's command parm. Again, the $decode command is not executing the command, it's just disguising the command that has been placed into a location which executes code placed there. The following 3 commands are doing the exact same thing, with the only difference being that $decode is hiding what the payload command actually is.
| |
| − |
| |
| − | <syntaxhighlight lang="mirc">
| |
| − | //noop $findfile(.,*,1, $decode(ZWNobyA0IC1hIGhlbGxvIHdvcmxk,m) )
| |
| − | //noop $findfile(.,*,1, $+(echo 4 -a hello world) )
| |
| − | //noop $findfile(.,*,1, echo 4 -a hello world )
| |
| − | </syntaxhighlight>
| |
| | | | |
| | = Injection via Bugs = | | = Injection via Bugs = |
| Line 344: |
Line 297: |
| | The abuse of this is limited as the user of mIRC would either have to code the malformed $iif() statement or be tricked into issuing it from something such as the editbox. Be careful! | | The abuse of this is limited as the user of mIRC would either have to code the malformed $iif() statement or be tricked into issuing it from something such as the editbox. Be careful! |
| | | | |
| − | = Injection via mIRC configuration =
| + | [[Category: mIRC|msl injection]] |
| − | | |
| − | You should inspect your mIRC settings for certain things which can be used to exploit you. If you check these things, you can help defend against some exploits which depend on a combination of factors, where just severing 1 link in the chain prevents the exploit.<br>
| |
| − | | |
| − | First, check the Options menu of your Alt+R scripts editor. It's a good idea set a few options here which can prevent problems.
| |
| − | | |
| − | # Identifier warning
| |
| − | | |
| − | This halts a script when an invalid identifier name is used, rather than evaluating the identifier as $null. The error warning can alert you to a script error which can cause it to not do as you expect.
| |
| − | | |
| − | <syntaxhighlight lang="mirc">
| |
| − | alias identwarntest {
| |
| − | $nosuchidentifier echo -a hello world
| |
| − | }
| |
| − | </syntaxhighlight>
| |
| − | | |
| − | If you do not have identifier warning, and the above identifier is the mis-typing of an identifier which was supposed to return either "echo -a" or "notice $nick" or "msg #channel", then without identifier warning being checked, that identifier evaluates to $null, causing the remainder of the command to be executed. If the 1st word is not a valid command, mIRC sends the command to a server in case that's a valid server command, which makes it possible to leak sensitive info in some cases. By halting the script with an identifier warning, this gives a chance to fix your script.
| |
| − | | |
| − | # Initialization Warning
| |
| − | | |
| − | This warns if the /load command or the script-editor's /file/open has loaded a script containing :START" or :LOAD: events which would execute code immediately. This still doesn't defend against scripts containing :TEXT: or other events which could be triggered *later*, and doesn't defend if /reload was used instead of /load.
| |
| − | | |
| − | # Monitor File Changes
| |
| − | | |
| − | This warns if a loaded script has changed without being changed by the scripts editor itself. Sometimes it can be caused by your editing scripts in a 3rd party editor such as notepad, but it could also be caused by a script using /write to alter itself or a different script.
| |
| − | | |
| − | * It's possible to have a script loaded that you don't realize.
| |
| − | | |
| − | <syntaxhighlight lang="mirc">
| |
| − | //write $chr(160) test | .reload -rs999 $chr(160)
| |
| − | </syntaxhighlight>
| |
| − | | |
| − | This creates a file without a filetype, where the filename itself is not visible in most fonts, then loads it as a remote script. All you see in the script editor's "view" menu is an extra-thick border at the bottom of the scripts list, and if you have too many scripts loaded, it's hiding inside the "more" list. This next command lists all the scripts you have loaded. If you see a line showing nothing between the double quotes or is something you don't recognize, you should investigate and possibly unload it.
| |
| − | | |
| − | <syntaxhighlight lang="mirc">
| |
| − | //var %i 1 | while ($script(%i)) { echo -a %i : $qt($nopath($script(%i))) | inc %i }
| |
| − | </syntaxhighlight>
| |
| − | | |
| − | * Restricting DCC Get filetypes.
| |
| − | | |
| − | You should view the contents of your downloads folder with suspicion if you don't know from whom you received the file. If you disable filetype blocking, you should do it temporarily, by using the "turn ignore back on in xx minutes" feature, which causes the 'disable' choice to revert back to the prior 'accept only' or 'ignore only' setting.<br>
| |
| − | | |
| − | While you can either configure Options/DCC/Ignore as 'ignore only' to specify a list of filetypes to be blocked, or as 'accept only' to specify a list of the only filetypes accepted, 'ignore only' requires updating the list as new executable filetypes need to be added. It's probably better to use 'accept only', since this allows you to manage the list of the only filetypes which are accepted. You should block all executable filetypes, without expecting to be able to inspect the download folder for suspicious items.
| |
| − | | |
| − | <syntaxhighlight lang="mirc">
| |
| − | //var %a $chr(8238) $+ piz.!wen.oediv.ezicr.exe | echo -a write %a test
| |
| − | </syntaxhighlight>
| |
| − | | |
| − | As you can see from the above command, this is a filename ending with .exe, which means it's an executible filetype. However, if your windows font is unicode-aware, and you use "/run ." to view the contents of your mirc folder, you'll see that this .exe file appears as if it's a .zip file. If someone created an .exe file containing the icon normally associated with .zip files, then renames it to this filename, and then uses DCC to send this file to you - it would appear as if it's a .zip file that's safe to click on to view the contents. This next event handler creates a log of the files you've received via DCC, and allows you to check later to see who sent an unknown file to you.
| |
| − | | |
| − | <syntaxhighlight lang="mirc">
| |
| − | on *:FILERCVD:*:{
| |
| − | write getlog.txt $time(yyyy.mm.dd HH:nn:ss) $network $nick $get(-1).ip $address($nick,5) $get(-1).size file: $filename
| |
| − | }
| |
| − | </syntaxhighlight>
| |
| − | | |
| − | = Injection via server command =
| |
| − | | |
| − | IRC servers accept strings containing $crlf $lf or $cr and will execute text following the line-ending as a 2nd server command using whatever permissions belong to your nick at that time.
| |
| − | <pre>
| |
| − | //msg #channel message $crlf mode #home +o Mallory
| |
| − | </pre>
| |
| − | When the server receives this message from mIRC, it uses the $crlf to split this into 2 commands. The first command displays the message to #channel, and the 2nd command tells the server to give @op status in channel #home to Mallory. If you do not have permissions in #home to give @ops, or if a nick Mallory is not in that channel, nothing happens. But if both are true, then you have just given op status to Mallory.
| |
| − | | |
| − | This method can only tell the server to execute commands recognized by the server. It does not know any mIRC-only /commands or $identifiers, and the 2nd command is executed even if the 1st command is invalid, such as #channel not existing. This means echoing such a string is no danger, because /echo will not send any string to a server, and it will not execute them either.
| |
| − | | |
| − | This exploit cannot be achieved by responding to an ON TEXT command, because the server cannot display a message to a channel which contains an embedded $cr and/or $lf.
| |
| − | | |
| − | However, this exploit can take advantage of scripts which send text to channels which can contain them. Examples could include the above examples of an evaluated command inside a $decode string, or can be accomplished by a script which messages the title/description or other content from a webpage that the attacker controls. Another method can be 'now playing' scripts which message text to channel describing information about the mp3 song that is either beginning or ending. While it's common for fields like $sound(filename.mp3).comment to contain $cr's, they generally are not displayed in channel messages. However, it's also possible for Album or Title to also contain them.
| |
| − | | |
| − | In addition to executing commands to give @op privileges to someone, the malicious commands could include things like making you drop your nickserv account at some ircd's. Also, they can induce you to execute commands which have a future effect, such as adding a nick to a chanserv access list, or a command to add Mallory's certificate fingerprint to your nickserv account, which would allow them to take channel actions in the future, or to login your nickserv account any time in the future, even if you change your nickserv password. While those would almost certainly trigger a confirmation message from chanserv or nickserv, those messages often go into the status window, and would often be unseen, especially if they happened while your keyboard is unattended.
| |
| − | | |
| − | To defend against such an exploit, any command sent to the server (not only a channel message) containing text that could come from a source which contains line-ending characters should be sanitized to remove/disable them.
| |
| − | | |
| − | <pre>
| |
| − | $remove(string,$cr,$lf)
| |
| − | </pre>
| |
| − | This sanitizing would cause both strings to be combined as a single string, so if the first message is a plausible channel message, the hidden message is displayed as part of the channel message
| |
| − | | |
| − | However, this is not sufficient if the first server command is able to cause damage even if combined with additional text, such as when the first command is the give-them-@ops command. The better defense is to halt the server command if the string contains a $cr and/or $lf that shouldn't be there:
| |
| − | | |
| − | <pre>
| |
| − | if ($cr isin $replace(string,$lf,$cr)) { echo -a string exploit attempt: $2 | halt }
| |
| − | </pre>
| |
