[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <006a01c5da7e$e55aba30$0100a8c0@nuclearwinter>
Date: Thu Oct 27 02:56:23 2005
From: sk at groundzero-security.com (sk)
Subject: Skype security advisory
i didnt test it myself, but since UDP is a connectionless protocol i suspect
it works without any user interaction.
- sk
http://www.groundzero-security.com
----- Original Message -----
From: "Brown, Bobby (US - Hermitage)" <bobbrown@...oitte.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, October 26, 2005 9:53 PM
Subject: RE: [Full-disclosure] Skype security advisory
> I have the question, can the exploit be perform with no interaction of the
user other than having the program running waiting for a connection or is it
only valid after a user accepted a connection and then the flaw is
exploited?
>
> BB
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of . EADS CCR
DCR/STI/C
> Sent: Tuesday, October 25, 2005 12:17 PM
> To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com;
vulndev@...urityfocus.com
> Subject: [Full-disclosure] Skype security advisory
>
> Synopsis
> ========
>
> The EADS/CRC security team discovered a flaw in Skype client.
>
> Skype is a P2P VoIP software that can bypass firewalls and NAT
> to connect to the Skype network. Skype is very popular because
> of its sound quality and ease of use.
>
> Skype client is available for Windows, Linux, Mac OS X, and
> PocketPC.
>
> A remotely exploitable flaw exists in the parser of packets.
> Exploitation is possible through a single UDP packet.
>
>
> Impact
> ======
>
> An attacker can send a specially crafted packet that will
> trigger a heap overflow condition and execute arbitrary code on
> the target. Hence, an attacker can gain full control of the
> target. Conversely to what is written in Skype's advisory,
> remote code execution *is* possible.
>
>
> Affected Versions
> =================
>
> Skype for Windows (including XP SP2 hosts):
> All releases prior to and including 1.4.*.83
>
> Skype for Mac OS X:
> All releases prior to and including 1.3.*.16
>
> Skype for Linux:
> All releases prior to and including 1.2.*.17
>
> Skype for Pocket PC:
> All releases prior to and including 1.1.*.6
>
>
> Description
> ===========
>
> Skype uses several data formats. Each format has its own
> specific parser. Note that data format will not be described
> here, for the sake of clarity. A specific encoding is used to
> store numbers, that will be referred as VLD (Variable Length
> Data) in this advisory.
>
> The data causing the overflow has the following format:
> ------------------------------------
> | Object Counter* | M objects |
> | M (VLD) | (VLD) |
> ------------------------------------
> * The first number in the packet is the amount of forthcoming
> objects.
>
> The amount of memory allocated by the parser is prone to an
> integer wrap-around. The allocated size is 4*M. Thus, the
> overflow occurs when M is greater than 0x40000000: e. g. when
> M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010
> objects are effectively read in the packet and written into
> memory.
>
> Since the attacker controls both M and all other objects in the
> packet, he can overwrite an arbitrary amount of memory with
> chosen values, thus easily gaining control of the execution
> flow.
>
> The corresponding parsing code roughly translates in C as
> following:
>
> ---------------------------------------------------------
> // read a VLD from input stream
> // return 0 on error
> int get_vld(unsigned int*);
>
> unsigned int object_counter;
> unsigned int i;
> unsigned int * tab_objects;
>
> // read object count (M)
> if (get_vld(&object_counter)==0)
> fault();
>
> // allocate memory to store sub-objects
> tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
> if (tab_objects ==NULL)
> fault();
>
> // read and store M sub-objects
> for (i=0;i<object_counter;i++)
> {
> if (get_vld(&tab_objects[i])==0)
> fault();
> }
>
> return;
> ---------------------------------------------------------
>
>
> Exploitation
> ============
> We were able to design a proof-of-concept exploitation code
> targeting Windows XP SP2 and Linux clients using a single UDP
> packet. Remote exploitation is also possible through TCP.
>
> Due to favorable environmental conditions, this particular heap
> overflow *is* also exploitable on heap-protected systems such
> as Windows XP SP2 and some Linux distributions. This is
> possible because Skype stores function pointers in the heap,
> and those pointers can be overwritten by the overflow.
>
>
> Detection
> =========
> As Skype uses encryption mechanisms, it seems difficult for any
> IDS/IPS to be able to detect the offensive payload.
>
>
> Solution
> ========
> Skype has issued fixes. Details are available in their advisory:
> http://www.skype.net/security/skype-sb-2005-03.html
>
>
> Vendor response
> ===============
> Skype advisory:
> http://www.skype.com/security/skype-sb-2005-03.html
>
> Disclosure timeline
> ===================
> Oct 17 2005: EADS CRC contacted Skype Security Team
> Oct 17 2005: Skype responded to EADS CRC
> Oct 25 2005: new patched version available
>
>
> Legal notices
> =============
> Copyright (c) 2005 EADS/CRC All rights reserved.
>
> This EADS CRC Security Bulletin may be reproduced and
> distributed, provided that the Bulletin is not modified in any
> way, is attributed to EADS/CRC, and provided that reproduction
> and distribution is performed for non-commercial purposes.
>
> This EADS CRC Security Bulletin is provided to you on an "AS
> IS" basis and may contain information provided by third
> parties. EADS CRC makes no guarantees or warranties as to the
> information contained herein.
>
> ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
> LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
> PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
>
> Contact
> =======
> dcrstic.ccr <.a.t.> eads.net
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> About Deloitte
>
>
> Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss
Verein, its member firms and their respective subsidiaries and affiliates.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of
its member firms has any liability for each other's acts or omissions. Each
of the member firms is a separate and independent legal entity operating
under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu,"
or other related names. Services are provided by the member firms or their
subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.
>
>
> Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche
Tohmatsu. In the U.S., services are provided by the subsidiaries of
Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP,
Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their
subsidiaries), and not by Deloitte & Touche USA LLP.
>
>
>
> [v.I.1]
>
>
> This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message.
>
>
> Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. [v.E.1]
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists