Re: Skype callto:// BoF technical details

[Fabian Becker <neonomicus () gmx de>]

Berend-Jan Wever wrote:

> Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. New version has been released.
> http://www.skype.com/products/skype/windows/changelog.html
> http://secunia.com/advisories/13191/
>
> Technical details:
>
> The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters 
> that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode 
> but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return 
> address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??.
>
> Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a 
> callto:// link in a private message and trick him/her into clicking it.
>
> If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click 
> the link.
>
> Cheers,
> SkyLined
>
>
>
>  
They fixed it without knowing of the callto:// thing I suppose cause I 
wrote them an email saying that the quick-call field is exploitable, 
too. This was fixed within the new version. Maybe your flaw is fixed, 
too, if not, I think it soon will be :)