[OTR-dev] Libotr resend security issue

David Goulet dgoulet at ev0ke.net
Sat Nov 9 12:43:32 EST 2013


Hi everyone,

Someone on the irssi-otr tracker opened a bug a while back and by
looking at it more in depth it might be a libotr "issue".

https://github.com/cryptodotis/irssi-otr/issues/23

In a nutshell, two parties (Alice and Bob) are in a *trusted* OTR
session over IRC. Alice sends a message to Bob.

	"I have a leak..."

Just after that a "General Error" (OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR) is
received by Alice stating this (irssi OTR example):

	06:37 OTR: General Error: Please type ?OTR? now...

Alice has *no* idea where this is coming from because *anyone* can
trigger that by sending a PRIVMSG to Alice simply by being identified
with Bob's nickname.

	PRIVMSG <nick> <message>

Irssi otr prints the "<message>" in the console thus "Please type ?OTR?
now..." is the message sent in the above PRIVMSG. I've checked,
Pidgin-otr does the same.

Alice reads that error and of course thinks that libotr is telling her
that a genuine error happened and that she should type that command. The
command used in this example basically renegotiates the session (?OTR?)
but if the other side switched keys to an unknown set to Alice, we end
up in a new OTR session with untrusted keys. Yes this is far fetched but
*very* possible with unauthenticated IRC nickname's that can be taken by
different person.

Previously, libotr flagged the message "I have a leak..." to be resent
because of the OTR error just after. That message is then resent in the
new *unauthenticated* session by libotr! This is *really* not good. As
of now, irssi-otr and pidgin-otr (both using libotr) are affected by
this issue.

Is there any way libotr could pin the current key of the last message
and when resending make sure the key are the same?

Also, I'm starting to think that printing the received message on error
is maybe a bad idea (or at the very least it should clearly state that
this message comes from *outside* libotr).

Cheers!
David

BTW: Huge thanks! to weinholt for that report and help. You can still
use his bot "OTRResend" on freenode for testing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: Digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20131109/964f8968/attachment.pgp>


More information about the OTR-dev mailing list