lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <419A59EF.1030201@gmx.de>
Date: Tue, 16 Nov 2004 20:50:07 +0100
From: Fabian Becker <neonomicus@....de>
To: Berend-Jan Wever <skylined@...p.tudelft.nl>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Skype callto:// BoF technical details


Berend-Jan Wever wrote:

>Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. New version has been released.
>http://www.skype.com/products/skype/windows/changelog.html
>http://secunia.com/advisories/13191/
>
>Technical details:
>
>The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??.
>
>Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a callto:// link in a private message and trick him/her into clicking it.
>
>If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click the link.
>
>Cheers,
>SkyLined
>
>
>
>  
>
They fixed it without knowing of the callto:// thing I suppose cause I 
wrote them an email saying that the quick-call field is exploitable, 
too. This was fixed within the new version. Maybe your flaw is fixed, 
too, if not, I think it soon will be :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ