psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminal
From: Brian Rea (brea@physiometrics.net)Date: 01/22/02
- Previous message: David LeBlanc: "RE: remote memory reading through tcp/icmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brian Rea" <brea@physiometrics.net> To: <bugtraq@securityfocus.com> Date: Tue, 22 Jan 2002 12:36:10 -0500
BACKGROUND: psyBNC (http://www.psychoid.lam3rz.de) is an IRC bouncer with a
variety of fantastic features. one of these features in encryption of irc
text, with keys set on a per-channel basis.
SUMMARY: someone (call them person A) in an irc channel where psyBNC users
are chatting encrypted can generate channel text that would make these
encrypted users think person A is trusted and using their key. person A
would NOT be able to see their conversation but could "insert" lines into
it.
DETAILS: when running psyBNC and encrypting channels, all other encrypted
users' text lines being with the string "[B]". this is the flag for psyBNC
to attempt to decrypt all following text. the [B] also appears in the irc
terminal window. if a NON encrypted user begins a line of text with a [B]
this wont matter... all other encrypted users will not see what was written,
as psyBNC will attempt to decrypt it and fail doing so, leaving the line
blank after the [B]
*But* if a non-encrypted user begins a line with "[" then inserts ANSI
codes... such as turning bold on and back off again, then "B]" the encrypted
users will see the "[B]" normally AND all text that the user wrote.
EXPLOIT: a non-trusted, non-encrypted user (person A) who has gained access
to a channel where psyBNC users are speak using channel encryption could
fool these encrypted users into thinking that person A is encrypted along
with them and that they should be trusted. person A could NOT read the
encrypted conversation but COULD type a line of text such as, say, "[B] i am
at my cousin's university but i need something from the FTP server... could
you please add this IP mask to the allowed hosts for my account?"
VERSIONS: the bnc to which i connect regularly is running psyBNC 2.3 Beta. i
am not aware how the string parsing is handled in other versions or if the
author has plans to modify the code in future releases with respect to this
matter.
RISK: low... social engineering only, and even then the victim must be
obeying orders or a fulfilling a request by someone who cannot reply to any
comments directed to him/her. this is not likely if the victim is competent
enough to use an encrypted irc bouncer.
AUTHOR CONTACT: email with this text dispatched on 2002/01/15 at 01:56 GMT
to psychoid@lam3rz.de. No response as of 2002/01/21 at 23:31 GMT.
SOLUTION: difficult to say... could psyBNC simply strip all extra ANSI codes
for color, bold, etc when users are running encrypted? better still, could
psyBNC check for any text that produces a sting "[B]" as someone's first
line of text and ALWAYS attempt to decrypt it?
WORKAROUND: don't be a dumbass. don't let someone doing something this
stupid socially engineer you.
- Previous message: David LeBlanc: "RE: remote memory reading through tcp/icmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
