Site Moderator chain Posted August 13, 2010 Site Moderator Report Share Posted August 13, 2010 Written by Scott | 09 August 2010 KVIrc's security has come under fire recently, with two recent vulnerabilities being reported regarding KVIrc's handling of DCCs. Quite recently, the discoverer of these issues has come forward under anonymity to voice claims that there are no less than 14 additional vulnerabilities which are known to affect the client, with several giving access to the operating system in some capacity. Many of these issues are said to be automated, requiring no user intervention in order to execute. Our source also shared several minor issues with KVIrc that were not part of this list, in order to give the claim the credibility that it requires. Our source cited another issue regarding DCCs, whereby a crafted DCC SEND containing a large, even number of backslashes can cause issues with KVIrc, similar to DCC SEND "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" 2130708000 6667 83203. The result can soon lead to resource exhaustion due to the way in which this string is handled. He also raised concern over the way in which KVS, KVIrc's scripting engine, is integrated into the client. One of the more minor results of the way in which the system is designed is that social engineering becomes almost trivial: All messages are sent through the KVS engine by default, where valid nickname and channel names can be interpreted by the scripting engine to cause unwanted side effects, such as making the user quit. Adding \nquit to a nickname would affect any KVIrc user who attempted to type the nickname in a /kick, or even a /me. Such issues can be mitigated by the client with "user friendly" mode, which is hidden to users and not enabled by default. The logic behind the decision is that users should enable it if they are having issues, though users having these issues are usually more inclined to switch clients first. A bug report hinting that this might be a security issue for unexperienced users has been rejected. How are users expected to be aware of this feature if the tab completion isn't? Since several serious issues supposedly remain in the client, it would appear that the KVIrc developers are going to have a rough time guaranteeing the security of its users, one would certainly hope that the remaining security issues are found and fixed in the near future. IRCReport Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now