Full Disclosure mailing list archives
Re: Skype security advisory
From: "sk" <sk () groundzero-security com>
Date: Thu, 27 Oct 2005 00:44:56 +0200
i didnt test it myself, but since UDP is a connectionless protocol i suspect it works without any user interaction. - sk http://www.groundzero-security.com ----- Original Message ----- From: "Brown, Bobby (US - Hermitage)" <bobbrown () deloitte com> To: <full-disclosure () lists grok org uk> Sent: Wednesday, October 26, 2005 9:53 PM Subject: RE: [Full-disclosure] Skype security advisory
I have the question, can the exploit be perform with no interaction of the
user other than having the program running waiting for a connection or is it only valid after a user accepted a connection and then the flaw is exploited?
BB -----Original Message----- From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of . EADS CCR DCR/STI/C
Sent: Tuesday, October 25, 2005 12:17 PM To: full-disclosure () lists grok org uk; bugtraq () securityfocus com;
vulndev () securityfocus com
Subject: [Full-disclosure] Skype security advisory Synopsis ======== The EADS/CRC security team discovered a flaw in Skype client. Skype is a P2P VoIP software that can bypass firewalls and NAT to connect to the Skype network. Skype is very popular because of its sound quality and ease of use. Skype client is available for Windows, Linux, Mac OS X, and PocketPC. A remotely exploitable flaw exists in the parser of packets. Exploitation is possible through a single UDP packet. Impact ====== An attacker can send a specially crafted packet that will trigger a heap overflow condition and execute arbitrary code on the target. Hence, an attacker can gain full control of the target. Conversely to what is written in Skype's advisory, remote code execution *is* possible. Affected Versions ================= Skype for Windows (including XP SP2 hosts): All releases prior to and including 1.4.*.83 Skype for Mac OS X: All releases prior to and including 1.3.*.16 Skype for Linux: All releases prior to and including 1.2.*.17 Skype for Pocket PC: All releases prior to and including 1.1.*.6 Description =========== Skype uses several data formats. Each format has its own specific parser. Note that data format will not be described here, for the sake of clarity. A specific encoding is used to store numbers, that will be referred as VLD (Variable Length Data) in this advisory. The data causing the overflow has the following format: ------------------------------------ | Object Counter* | M objects | | M (VLD) | (VLD) | ------------------------------------ * The first number in the packet is the amount of forthcoming objects. The amount of memory allocated by the parser is prone to an integer wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010 objects are effectively read in the packet and written into memory. Since the attacker controls both M and all other objects in the packet, he can overwrite an arbitrary amount of memory with chosen values, thus easily gaining control of the execution flow. The corresponding parsing code roughly translates in C as following: --------------------------------------------------------- // read a VLD from input stream // return 0 on error int get_vld(unsigned int*); unsigned int object_counter; unsigned int i; unsigned int * tab_objects; // read object count (M) if (get_vld(&object_counter)==0) fault(); // allocate memory to store sub-objects tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); if (tab_objects ==NULL) fault(); // read and store M sub-objects for (i=0;i<object_counter;i++) { if (get_vld(&tab_objects[i])==0) fault(); } return; --------------------------------------------------------- Exploitation ============ We were able to design a proof-of-concept exploitation code targeting Windows XP SP2 and Linux clients using a single UDP packet. Remote exploitation is also possible through TCP. Due to favorable environmental conditions, this particular heap overflow *is* also exploitable on heap-protected systems such as Windows XP SP2 and some Linux distributions. This is possible because Skype stores function pointers in the heap, and those pointers can be overwritten by the overflow. Detection ========= As Skype uses encryption mechanisms, it seems difficult for any IDS/IPS to be able to detect the offensive payload. Solution ======== Skype has issued fixes. Details are available in their advisory: http://www.skype.net/security/skype-sb-2005-03.html Vendor response =============== Skype advisory: http://www.skype.com/security/skype-sb-2005-03.html Disclosure timeline =================== Oct 17 2005: EADS CRC contacted Skype Security Team Oct 17 2005: Skype responded to EADS CRC Oct 25 2005: new patched version available Legal notices ============= Copyright (c) 2005 EADS/CRC All rights reserved. This EADS CRC Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way, is attributed to EADS/CRC, and provided that reproduction and distribution is performed for non-commercial purposes. This EADS CRC Security Bulletin is provided to you on an "AS IS" basis and may contain information provided by third parties. EADS CRC makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. Contact ======= dcrstic.ccr <.a.t.> eads.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss
Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.
Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche
Tohmatsu. In the U.S., services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP.
[v.I.1] This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. [v.E.1]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Skype security advisory . EADS CCR DCR/STI/C (Oct 25)
- <Possible follow-ups>
- RE: Skype security advisory Brown, Bobby (US - Hermitage) (Oct 26)
- Re: Skype security advisory sk (Oct 26)
- RE: Skype security advisory . EADS CCR DCR/STI/C (Oct 27)