Re: Skype callto:// BoF technical details
From: Berend-Jan Wever (skylined_at_edup.tudelft.nl)
To: "Fabian Becker" <firstname.lastname@example.org> Date: Tue, 16 Nov 2004 21:35:44 +0100
It is the same bug as far as I know.
----- Original Message -----
From: "Fabian Becker" <email@example.com>
To: "Berend-Jan Wever" <firstname.lastname@example.org>
Cc: <email@example.com>; <firstname.lastname@example.org>
Sent: Tuesday, November 16, 2004 20:50
Subject: Re: Skype callto:// BoF technical details
> Berend-Jan Wever wrote:
> >Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. New version has been released.
> >Technical details:
> >The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??.
> >Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a callto:// link in a private message and trick him/her into clicking it.
> >If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click the link.
> They fixed it without knowing of the callto:// thing I suppose cause I
> wrote them an email saying that the quick-call field is exploitable,
> too. This was fixed within the new version. Maybe your flaw is fixed,
> too, if not, I think it soon will be :)