mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
References
Link | Resource |
---|---|
https://github.com/proofofcalc/cve-2019-6453-poc | Exploit Third Party Advisory |
https://proofofcalc.com/advisories/20190218.txt | Third Party Advisory |
https://proofofcalc.com/cve-2019-6453-mIRC/ | Exploit Third Party Advisory |
https://twitter.com/proofofcalc/status/1097518413143003136 | Exploit Third Party Advisory |
https://www.exploit-db.com/exploits/46392/ | Exploit Third Party Advisory VDB Entry |
https://www.mirc.com/news.html | Product |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-02-18T15:00:00
Updated: 2019-02-19T14:57:01
Reserved: 2019-01-16T00:00:00
Link: CVE-2019-6453
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-02-18T15:29:00.247
Modified: 2020-08-24T17:37:01.140
Link: CVE-2019-6453
JSON object: View
Redhat Information
No data.
CWE