psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminal

["Brian Rea" <brea () physiometrics net>]

BACKGROUND: psyBNC (http://www.psychoid.lam3rz.de) is an IRC bouncer with a
variety of fantastic features.  one of these features in encryption of irc
text, with keys set on a per-channel basis.

SUMMARY:  someone (call them person A) in an irc channel where psyBNC users
are chatting encrypted can generate channel text that would make these
encrypted users think person A is trusted and using their key.  person A
would NOT be able to see their conversation but could "insert" lines into
it.

DETAILS:  when running psyBNC and encrypting channels, all other encrypted
users' text lines being with the string "[B]".  this is the flag for psyBNC
to attempt to decrypt all following text.  the [B] also appears in the irc
terminal window.  if a NON encrypted user begins a line of text with a [B]
this wont matter... all other encrypted users will not see what was written,
as psyBNC will attempt to decrypt it and fail doing so, leaving the line
blank after the [B]

*But* if a non-encrypted user begins a line with "[" then inserts ANSI
codes... such as turning bold on and back off again, then "B]" the encrypted
users will see the "[B]" normally AND all text that the user wrote.

EXPLOIT:  a non-trusted, non-encrypted user (person A) who has gained access
to a channel where psyBNC users are speak using channel encryption could
fool these encrypted users into thinking that person A is encrypted along
with them and that they should be trusted.  person A could NOT read the
encrypted conversation but COULD type a line of text such as, say, "[B] i am
at my cousin's university but i need something from the FTP server... could
you please add this IP mask to the allowed hosts for my account?"

VERSIONS: the bnc to which i connect regularly is running psyBNC 2.3 Beta. i
am not aware how the string parsing is handled in other versions or if the
author has plans to modify the code in future releases with respect to this
matter.

RISK: low... social engineering only, and even then the victim must be
obeying orders or a fulfilling a request by someone who cannot reply to any
comments directed to him/her.  this is not likely if the victim is competent
enough to use an encrypted irc bouncer.

AUTHOR CONTACT: email with this text dispatched on 2002/01/15 at 01:56 GMT
to psychoid () lam3rz de.  No response as of 2002/01/21 at 23:31 GMT.

SOLUTION: difficult to say... could psyBNC simply strip all extra ANSI codes
for color, bold, etc when users are running encrypted?  better still, could
psyBNC check for any text that produces a sting "[B]" as someone's first
line of text and ALWAYS attempt to decrypt it?

WORKAROUND: don't be a dumbass.  don't let someone doing something this
stupid socially engineer you.