Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Skype security advisory
From: "sk" <sk () groundzero-security com>
Date: Thu, 27 Oct 2005 00:44:56 +0200

i didnt test it myself, but since UDP is a connectionless protocol i suspect
it works without any user interaction.

- sk
http://www.groundzero-security.com

----- Original Message ----- 
From: "Brown, Bobby (US - Hermitage)" <bobbrown () deloitte com>
To: <full-disclosure () lists grok org uk>
Sent: Wednesday, October 26, 2005 9:53 PM
Subject: RE: [Full-disclosure] Skype security advisory


I have the question, can the exploit be perform with no interaction of the
user other than having the program running waiting for a connection or is it
only valid after a user accepted a connection and then the flaw is
exploited?

BB


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of . EADS CCR
DCR/STI/C
Sent: Tuesday, October 25, 2005 12:17 PM
To: full-disclosure () lists grok org uk; bugtraq () securityfocus com;
vulndev () securityfocus com
Subject: [Full-disclosure] Skype security advisory

Synopsis
========

The EADS/CRC security team discovered a flaw  in  Skype  client.

Skype is a P2P VoIP software that can bypass firewalls  and  NAT
to connect to the Skype network. Skype is very  popular  because
of its sound quality and ease of use.

Skype client is available for Windows, Linux,  Mac  OS  X,   and
PocketPC.

A remotely exploitable flaw exists in  the  parser  of  packets.
Exploitation  is  possible  through  a  single    UDP    packet.


Impact
======

An attacker can  send  a  specially  crafted  packet  that  will
trigger a heap overflow condition and execute arbitrary code  on
the target. Hence, an attacker can  gain  full  control  of  the
target. Conversely to  what  is  written  in  Skype's  advisory,
remote code execution *is* possible.


Affected Versions
=================

Skype for Windows (including XP SP2 hosts):
All releases prior to and including 1.4.*.83

Skype for Mac OS X:
All releases prior to and including 1.3.*.16

Skype for Linux:
All releases prior to and including 1.2.*.17

Skype for Pocket PC:
All releases prior to and including 1.1.*.6


Description
===========

Skype uses several  data  formats.   Each  format  has  its  own
specific parser. Note that data format  will  not  be  described
here, for the sake of clarity. A specific encoding  is  used  to
store numbers, that will be referred  as  VLD  (Variable  Length
Data) in this advisory.

The data causing the overflow has the following format:
------------------------------------ 
| Object Counter*  | M objects     |
| M (VLD)          | (VLD)         |
------------------------------------ 
* The first number in the packet is the amount of forthcoming
objects.

The amount of memory allocated by the  parser  is  prone  to  an
integer wrap-around. The allocated  size  is  4*M.   Thus,   the
overflow occurs when M is greater than 0x40000000:  e. g.   when
M=0x40000010, HeapAlloc(0x40) is called, but  up  to  0x40000010
objects are effectively read in  the  packet  and  written  into
memory.

Since the attacker controls both M and all other objects in  the
packet, he can overwrite an  arbitrary  amount  of  memory  with
chosen values, thus easily  gaining  control  of  the  execution
flow.

The corresponding parsing code roughly translates in C as
following:

--------------------------------------------------------- 
// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);

unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;

// read object count (M)
if (get_vld(&object_counter)==0)
        fault();

// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
        fault();

// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
        if (get_vld(&tab_objects[i])==0)
                fault();
}

return;
--------------------------------------------------------- 


Exploitation
============
We were able to  design  a  proof-of-concept  exploitation  code
targeting Windows XP SP2 and Linux clients using  a  single  UDP
packet.  Remote  exploitation  is  also  possible  through  TCP.

Due to favorable environmental conditions, this particular  heap
overflow *is* also exploitable on  heap-protected  systems  such
as Windows  XP  SP2  and  some  Linux  distributions.   This  is
possible because Skype stores function  pointers  in  the  heap,
and  those  pointers  can  be  overwritten  by  the    overflow.


Detection
=========
As Skype uses encryption mechanisms, it seems difficult for  any
IDS/IPS  to  be  able  to  detect   the    offensive    payload.


Solution
========
Skype has issued fixes. Details are available in their advisory:
http://www.skype.net/security/skype-sb-2005-03.html


Vendor response
===============
Skype advisory:
http://www.skype.com/security/skype-sb-2005-03.html

Disclosure timeline
===================
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available


Legal notices
=============
Copyright (c) 2005 EADS/CRC All rights reserved.

This  EADS  CRC  Security  Bulletin  may  be   reproduced    and
distributed, provided that the Bulletin is not modified  in  any
way, is attributed to EADS/CRC, and provided  that  reproduction
and  distribution  is  performed  for  non-commercial  purposes.

This EADS CRC Security Bulletin is provided to  you  on  an  "AS
IS"  basis  and  may  contain  information  provided  by   third
parties. EADS CRC makes no guarantees or warranties  as  to  the
information contained herein.

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,   INCLUDING  WITHOUT
LIMITATION  WARRANTIES  OF  MERCHANTABILITY,   FITNESS  FOR    A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.

Contact
=======
dcrstic.ccr <.a.t.> eads.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


About Deloitte


Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss
Verein, its member firms and their respective subsidiaries and affiliates.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of
its member firms has any liability for each other's acts or omissions. Each
of the member firms is a separate and independent legal entity operating
under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu,"
or other related names. Services are provided by the member firms or their
subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.


Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche
Tohmatsu.  In the U.S., services are provided by the subsidiaries of
Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP,
Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their
subsidiaries), and not by Deloitte & Touche USA LLP.



[v.I.1]


This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message.


Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. [v.E.1]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault