Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Skype security advisory
From: "Brown, Bobby (US - Hermitage)" <bobbrown () deloitte com>
Date: Wed, 26 Oct 2005 14:53:10 -0500

I have the question, can the exploit be perform with no interaction of the user other than having the program running 
waiting for a connection or is it only valid after a user accepted a connection and then the flaw is exploited?

BB


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of . 
EADS CCR DCR/STI/C
Sent: Tuesday, October 25, 2005 12:17 PM
To: full-disclosure () lists grok org uk; bugtraq () securityfocus com; vulndev () securityfocus com
Subject: [Full-disclosure] Skype security advisory

Synopsis 
======== 
 
The EADS/CRC security team discovered a flaw  in  Skype  client.

Skype is a P2P VoIP software that can bypass firewalls  and  NAT
to connect to the Skype network. Skype is very  popular  because
of its sound quality and ease of use.

Skype client is available for Windows, Linux,  Mac  OS  X,   and
PocketPC.

A remotely exploitable flaw exists in  the  parser  of  packets.
Exploitation  is  possible  through  a  single    UDP    packet.


Impact
======
 
An attacker can  send  a  specially  crafted  packet  that  will
trigger a heap overflow condition and execute arbitrary code  on
the target. Hence, an attacker can  gain  full  control  of  the
target. Conversely to  what  is  written  in  Skype's  advisory,
remote code execution *is* possible. 


Affected Versions 
================= 
 
Skype for Windows (including XP SP2 hosts): 
All releases prior to and including 1.4.*.83 
 
Skype for Mac OS X: 
All releases prior to and including 1.3.*.16 
 
Skype for Linux: 
All releases prior to and including 1.2.*.17 
 
Skype for Pocket PC: 
All releases prior to and including 1.1.*.6 
 

Description 
=========== 
 
Skype uses several  data  formats.   Each  format  has  its  own
specific parser. Note that data format  will  not  be  described
here, for the sake of clarity. A specific encoding  is  used  to
store numbers, that will be referred  as  VLD  (Variable  Length
Data) in this advisory.

The data causing the overflow has the following format:
------------------------------------ 
| Object Counter*  | M objects     | 
| M (VLD)          | (VLD)         | 
------------------------------------ 
* The first number in the packet is the amount of forthcoming 
objects. 
 
The amount of memory allocated by the  parser  is  prone  to  an
integer wrap-around. The allocated  size  is  4*M.   Thus,   the
overflow occurs when M is greater than 0x40000000:  e. g.   when
M=0x40000010, HeapAlloc(0x40) is called, but  up  to  0x40000010
objects are effectively read in  the  packet  and  written  into
memory.

Since the attacker controls both M and all other objects in  the
packet, he can overwrite an  arbitrary  amount  of  memory  with
chosen values, thus easily  gaining  control  of  the  execution
flow. 

The corresponding parsing code roughly translates in C as 
following: 
 
--------------------------------------------------------- 
// read a VLD from input stream 
// return 0 on error 
int get_vld(unsigned int*); 
 
unsigned int object_counter; 
unsigned int i; 
unsigned int * tab_objects; 
 
// read object count (M) 
if (get_vld(&object_counter)==0) 
        fault(); 
 
// allocate memory to store sub-objects 
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); 
if (tab_objects ==NULL) 
        fault(); 
 
// read and store M sub-objects 
for (i=0;i<object_counter;i++) 
{ 
        if (get_vld(&tab_objects[i])==0) 
                fault(); 
} 
 
return; 
--------------------------------------------------------- 


Exploitation 
============ 
We were able to  design  a  proof-of-concept  exploitation  code
targeting Windows XP SP2 and Linux clients using  a  single  UDP
packet.  Remote  exploitation  is  also  possible  through  TCP.

Due to favorable environmental conditions, this particular  heap
overflow *is* also exploitable on  heap-protected  systems  such
as Windows  XP  SP2  and  some  Linux  distributions.   This  is
possible because Skype stores function  pointers  in  the  heap,
and  those  pointers  can  be  overwritten  by  the    overflow.
 
 
Detection 
========= 
As Skype uses encryption mechanisms, it seems difficult for  any
IDS/IPS  to  be  able  to  detect   the    offensive    payload.

 
Solution 
========
Skype has issued fixes. Details are available in their advisory: 
http://www.skype.net/security/skype-sb-2005-03.html 
 
 
Vendor response 
=============== 
Skype advisory: 
http://www.skype.com/security/skype-sb-2005-03.html 

Disclosure timeline 
=================== 
Oct 17 2005: EADS CRC contacted Skype Security Team 
Oct 17 2005: Skype responded to EADS CRC 
Oct 25 2005: new patched version available 
 
 
Legal notices 
============= 
Copyright (c) 2005 EADS/CRC All rights reserved. 
 
This  EADS  CRC  Security  Bulletin  may  be   reproduced    and
distributed, provided that the Bulletin is not modified  in  any
way, is attributed to EADS/CRC, and provided  that  reproduction
and  distribution  is  performed  for  non-commercial  purposes.
 
This EADS CRC Security Bulletin is provided to  you  on  an  "AS
IS"  basis  and  may  contain  information  provided  by   third
parties. EADS CRC makes no guarantees or warranties  as  to  the
information contained herein. 

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,   INCLUDING  WITHOUT
LIMITATION  WARRANTIES  OF  MERCHANTABILITY,   FITNESS  FOR    A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.  
 
Contact 
======= 
dcrstic.ccr <.a.t.> eads.net 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 


About Deloitte


Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective 
subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member 
firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent 
legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related 
names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche 
Tohmatsu Verein.


Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu.  In the U.S., services are provided by 
the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial 
Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. 



[v.I.1] 


This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law.  If you are not the intended recipient, you should delete this message. 


Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly 
prohibited. [v.E.1]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]