lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040610004645.12250.qmail@www.securityfocus.com>
Date: 10 Jun 2004 00:46:45 -0000
From: Hillel Himovich <hll@...vision.net.il>
To: bugtraq@...urityfocus.com
Subject: Skype URI callto username overflow




Here is a cute little URI I found crashing skype on it's latest version (0.98.0.04).
It's proboby a buffer overflow of some sort, so, a special crafted URI culd potentionally lead to remote code execution.
(would probobly be extreamly hard doing it threw a URI, but still an option)

callto://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/

If you really really want this not to happend to you, u shuld remove the reffering registry entrance to "callto://" in URI's

Regards,
Hillel Himovich
"HLL"
HLL@...vision.net.il


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ