| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: neonomicus at gmx.de (Fabian Becker) Subject: Re: Skype callto:// BoF technical details Berend-Jan Wever wrote: >Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. New version has been released. >http://www.skype.com/products/skype/windows/changelog.html >http://secunia.com/advisories/13191/ > >Technical details: > >The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??. > >Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a callto:// link in a private message and trick him/her into clicking it. > >If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click the link. > >Cheers, >SkyLined > > > > > They fixed it without knowing of the callto:// thing I suppose cause I wrote them an email saying that the quick-call field is exploitable, too. This was fixed within the new version. Maybe your flaw is fixed, too, if not, I think it soon will be :)
Powered by blists - more mailing lists