Winamp mIRC plugin vulnerability
Affected Software
- Nullsoft mIRC Control Plug-in v0.6 (gen_mirc.dll) and other versions
- mIRC Control EX Plug-In V 2.00 (gen_ircex.dll) and other versions
- mIRCPlug v1.0,1.2 (gen_mircplug.dll)
- … maybe other plugins?
Description
These plugins allow Winamp to notify mIRC of what track you are playing. The user can configure what command the plugin sends to mIRC, e.g. “/set %currentsong %s”, where %s is replaced by the name of the current song, as in the ID3v tag.
By putting a “|” (command separation character) and mIRC-commands in the ID3v-tag and tricking the user into playing the mp3, an attacker can take full control over a victims computer.
Exploit
Setting the songname in the ID3v tag of an mp3 to “t | /run notepad” and playing it with winamp, with the plugin installed and enabled and mIRC running, would start notepad.
notepad.mp3