lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001c01c4cbed$254a23c0$0100a8c0@grotedoos>
Date: Tue, 16 Nov 2004 16:01:19 +0100
From: "Berend-Jan Wever" <skylined@...p.tudelft.nl>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: Skype callto:// BoF technical details


Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. New version has been released.
http://www.skype.com/products/skype/windows/changelog.html
http://secunia.com/advisories/13191/

Technical details:

The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??.

Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a callto:// link in a private message and trick him/her into clicking it.

If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click the link.

Cheers,
SkyLined




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ