Skype security advisory

2005.10.26
Credit: dcrstic.ccr <.a.t.> eads.net
Risk: Medium
Local: No
Remote: No
CVE: CVE-2005-3267
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Synopsis ======== The EADS/CRC security team discovered a flaw in Skype client. Skype is a P2P VoIP software that can bypass firewalls and NAT to connect to the Skype network. Skype is very popular because of its sound quality and ease of use. Skype client is available for Windows, Linux, Mac OS X, and PocketPC. A remotely exploitable flaw exists in the parser of packets. Exploitation is possible through a single UDP packet. Impact ====== An attacker can send a specially crafted packet that will trigger a heap overflow condition and execute arbitrary code on the target. Hence, an attacker can gain full control of the target. Conversely to what is written in Skype's advisory, remote code execution *is* possible. Affected Versions ================= Skype for Windows (including XP SP2 hosts): All releases prior to and including 1.4.*.83 Skype for Mac OS X: All releases prior to and including 1.3.*.16 Skype for Linux: All releases prior to and including 1.2.*.17 Skype for Pocket PC: All releases prior to and including 1.1.*.6 Description =========== Skype uses several data formats. Each format has its own specific parser. Note that data format will not be described here, for the sake of clarity. A specific encoding is used to store numbers, that will be referred as VLD (Variable Length Data) in this advisory. The data causing the overflow has the following format: ------------------------------------ | Object Counter* | M objects | | M (VLD) | (VLD) | ------------------------------------ * The first number in the packet is the amount of forthcoming objects. The amount of memory allocated by the parser is prone to an integer wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010 objects are effectively read in the packet and written into memory. Since the attacker controls both M and all other objects in the packet, he can overwrite an arbitrary amount of memory with chosen values, thus easily gaining control of the execution flow. The corresponding parsing code roughly translates in C as following: --------------------------------------------------------- // read a VLD from input stream // return 0 on error int get_vld(unsigned int*); unsigned int object_counter; unsigned int i; unsigned int * tab_objects; // read object count (M) if (get_vld(&object_counter)==0) fault(); // allocate memory to store sub-objects tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); if (tab_objects ==NULL) fault(); // read and store M sub-objects for (i=0;i<object_counter;i++) { if (get_vld(&tab_objects[i])==0) fault(); } return; --------------------------------------------------------- Exploitation ============ We were able to design a proof-of-concept exploitation code targeting Windows XP SP2 and Linux clients using a single UDP packet. Remote exploitation is also possible through TCP. Due to favorable environmental conditions, this particular heap overflow *is* also exploitable on heap-protected systems such as Windows XP SP2 and some Linux distributions. This is possible because Skype stores function pointers in the heap, and those pointers can be overwritten by the overflow. Detection ========= As Skype uses encryption mechanisms, it seems difficult for any IDS/IPS to be able to detect the offensive payload. Solution ======== Skype has issued fixes. Details are available in their advisory: http://www.skype.net/security/skype-sb-2005-03.html Vendor response =============== Skype advisory: http://www.skype.com/security/skype-sb-2005-03.html Disclosure timeline =================== Oct 17 2005: EADS CRC contacted Skype Security Team Oct 17 2005: Skype responded to EADS CRC Oct 25 2005: new patched version available Legal notices ============= Copyright (c) 2005 EADS/CRC All rights reserved. This EADS CRC Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way, is attributed to EADS/CRC, and provided that reproduction and distribution is performed for non-commercial purposes. This EADS CRC Security Bulletin is provided to you on an "AS IS" basis and may contain information provided by third parties. EADS CRC makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. Contact ======= dcrstic.ccr <.a.t.> eads.net


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top