psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminal

2002-01-23T00:00:00
ID SECURITYVULNS:DOC:2399
Type securityvulns
Reporter Securityvulns
Modified 2002-01-23T00:00:00

Description

BACKGROUND: psyBNC (http://www.psychoid.lam3rz.de) is an IRC bouncer with a variety of fantastic features. one of these features in encryption of irc text, with keys set on a per-channel basis.

SUMMARY: someone (call them person A) in an irc channel where psyBNC users are chatting encrypted can generate channel text that would make these encrypted users think person A is trusted and using their key. person A would NOT be able to see their conversation but could "insert" lines into it.

DETAILS: when running psyBNC and encrypting channels, all other encrypted users' text lines being with the string "[B]". this is the flag for psyBNC to attempt to decrypt all following text. the [B] also appears in the irc terminal window. if a NON encrypted user begins a line of text with a [B] this wont matter... all other encrypted users will not see what was written, as psyBNC will attempt to decrypt it and fail doing so, leaving the line blank after the [B]

But if a non-encrypted user begins a line with "[" then inserts ANSI codes... such as turning bold on and back off again, then "B]" the encrypted users will see the "[B]" normally AND all text that the user wrote.

EXPLOIT: a non-trusted, non-encrypted user (person A) who has gained access to a channel where psyBNC users are speak using channel encryption could fool these encrypted users into thinking that person A is encrypted along with them and that they should be trusted. person A could NOT read the encrypted conversation but COULD type a line of text such as, say, "[B] i am at my cousin's university but i need something from the FTP server... could you please add this IP mask to the allowed hosts for my account?"

VERSIONS: the bnc to which i connect regularly is running psyBNC 2.3 Beta. i am not aware how the string parsing is handled in other versions or if the author has plans to modify the code in future releases with respect to this matter.

RISK: low... social engineering only, and even then the victim must be obeying orders or a fulfilling a request by someone who cannot reply to any comments directed to him/her. this is not likely if the victim is competent enough to use an encrypted irc bouncer.

AUTHOR CONTACT: email with this text dispatched on 2002/01/15 at 01:56 GMT to psychoid@lam3rz.de. No response as of 2002/01/21 at 23:31 GMT.

SOLUTION: difficult to say... could psyBNC simply strip all extra ANSI codes for color, bold, etc when users are running encrypted? better still, could psyBNC check for any text that produces a sting "[B]" as someone's first line of text and ALWAYS attempt to decrypt it?

WORKAROUND: don't be a dumbass. don't let someone doing something this stupid socially engineer you.