Synopsis
========
The EADS/CRC security team discovered a flaw in Skype client.
Skype is a P2P VoIP software that can bypass firewalls and NAT
to connect to the Skype network. Skype is very popular because
of its sound quality and ease of use.
Skype client is available for Windows, Linux, Mac OS X, and
PocketPC.
A remotely exploitable flaw exists in the parser of packets.
Exploitation is possible through a single UDP packet.
Impact
======
An attacker can send a specially crafted packet that will
trigger a heap overflow condition and execute arbitrary code on
the target. Hence, an attacker can gain full control of the
target. Conversely to what is written in Skype's advisory,
remote code execution *is* possible.
Affected Versions
=================
Skype for Windows (including XP SP2 hosts):
All releases prior to and including 1.4.*.83
Skype for Mac OS X:
All releases prior to and including 1.3.*.16
Skype for Linux:
All releases prior to and including 1.2.*.17
Skype for Pocket PC:
All releases prior to and including 1.1.*.6
Description
===========
Skype uses several data formats. Each format has its own
specific parser. Note that data format will not be described
here, for the sake of clarity. A specific encoding is used to
store numbers, that will be referred as VLD (Variable Length
Data) in this advisory.
The data causing the overflow has the following format:
------------------------------------
| Object Counter* | M objects |
| M (VLD) | (VLD) |
------------------------------------
* The first number in the packet is the amount of forthcoming
objects.
The amount of memory allocated by the parser is prone to an
integer wrap-around. The allocated size is 4*M. Thus, the
overflow occurs when M is greater than 0x40000000: e. g. when
M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010
objects are effectively read in the packet and written into
memory.
Since the attacker controls both M and all other objects in the
packet, he can overwrite an arbitrary amount of memory with
chosen values, thus easily gaining control of the execution
flow.
The corresponding parsing code roughly translates in C as
following:
---------------------------------------------------------
// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);
unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;
// read object count (M)
if (get_vld(&object_counter)==0)
fault();
// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
fault();
// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
if (get_vld(&tab_objects[i])==0)
fault();
}
return;
---------------------------------------------------------
Exploitation
============
We were able to design a proof-of-concept exploitation code
targeting Windows XP SP2 and Linux clients using a single UDP
packet. Remote exploitation is also possible through TCP.
Due to favorable environmental conditions, this particular heap
overflow *is* also exploitable on heap-protected systems such
as Windows XP SP2 and some Linux distributions. This is
possible because Skype stores function pointers in the heap,
and those pointers can be overwritten by the overflow.
Detection
=========
As Skype uses encryption mechanisms, it seems difficult for any
IDS/IPS to be able to detect the offensive payload.
Solution
========
Skype has issued fixes. Details are available in their advisory:
http://www.skype.net/security/skype-sb-2005-03.html
Vendor response
===============
Skype advisory:
http://www.skype.com/security/skype-sb-2005-03.html
Disclosure timeline
===================
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available
Legal notices
=============
Copyright (c) 2005 EADS/CRC All rights reserved.
This EADS CRC Security Bulletin may be reproduced and
distributed, provided that the Bulletin is not modified in any
way, is attributed to EADS/CRC, and provided that reproduction
and distribution is performed for non-commercial purposes.
This EADS CRC Security Bulletin is provided to you on an "AS
IS" basis and may contain information provided by third
parties. EADS CRC makes no guarantees or warranties as to the
information contained herein.
ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
Contact
=======
dcrstic.ccr <.a.t.> eads.net