RE: [Full-disclosure] Skype security advisory

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:195 - Updated squid packages fix vulnerabilities"
• Maybe in reply to: Q_EADS_CCR_DCR/STI/C?=: "[Full-disclosure] Skype security advisory"
• Next in thread: sk: "Re: [Full-disclosure] Skype security advisory"
• Reply: sk: "Re: [Full-disclosure] Skype security advisory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 26 Oct 2005 14:53:10 -0500
To: <full-disclosure@lists.grok.org.uk>

I have the question, can the exploit be perform with no interaction of the user other than having the program running waiting for a connection or is it only valid after a user accepted a connection and then the flaw is exploited?

BB

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of . EADS CCR DCR/STI/C
Sent: Tuesday, October 25, 2005 12:17 PM
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; vulndev@securityfocus.com
Subject: [Full-disclosure] Skype security advisory

Synopsis
========
 
The EADS/CRC security team discovered a flaw in Skype client.

Skype is a P2P VoIP software that can bypass firewalls and NAT
to connect to the Skype network. Skype is very popular because
of its sound quality and ease of use.

Skype client is available for Windows, Linux, Mac OS X, and
PocketPC.

A remotely exploitable flaw exists in the parser of packets.
Exploitation is possible through a single UDP packet.

Impact
======
 
An attacker can send a specially crafted packet that will
trigger a heap overflow condition and execute arbitrary code on
the target. Hence, an attacker can gain full control of the
target. Conversely to what is written in Skype's advisory,
remote code execution *is* possible.

Affected Versions
=================
 
Skype for Windows (including XP SP2 hosts):
All releases prior to and including 1.4.*.83
 
Skype for Mac OS X:
All releases prior to and including 1.3.*.16
 
Skype for Linux:
All releases prior to and including 1.2.*.17
 
Skype for Pocket PC:
All releases prior to and including 1.1.*.6
 

Description
===========
 
Skype uses several data formats. Each format has its own
specific parser. Note that data format will not be described
here, for the sake of clarity. A specific encoding is used to
store numbers, that will be referred as VLD (Variable Length
Data) in this advisory.

The data causing the overflow has the following format:
------------------------------------
| Object Counter* | M objects |
| M (VLD) | (VLD) |
------------------------------------
* The first number in the packet is the amount of forthcoming
objects.
 
The amount of memory allocated by the parser is prone to an
integer wrap-around. The allocated size is 4*M. Thus, the
overflow occurs when M is greater than 0x40000000: e. g. when
M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010
objects are effectively read in the packet and written into
memory.

Since the attacker controls both M and all other objects in the
packet, he can overwrite an arbitrary amount of memory with
chosen values, thus easily gaining control of the execution
flow.

The corresponding parsing code roughly translates in C as
following:
 
---------------------------------------------------------
// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);
 
unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;
 
// read object count (M)
if (get_vld(&object_counter)==0)
        fault();
 
// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
        fault();
 
// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
        if (get_vld(&tab_objects[i])==0)
                fault();
}
 
return;
---------------------------------------------------------

Exploitation
============
We were able to design a proof-of-concept exploitation code
targeting Windows XP SP2 and Linux clients using a single UDP
packet. Remote exploitation is also possible through TCP.

Due to favorable environmental conditions, this particular heap
overflow *is* also exploitable on heap-protected systems such
as Windows XP SP2 and some Linux distributions. This is
possible because Skype stores function pointers in the heap,
and those pointers can be overwritten by the overflow.
 
 
Detection
=========
As Skype uses encryption mechanisms, it seems difficult for any
IDS/IPS to be able to detect the offensive payload.

 
Solution
========
Skype has issued fixes. Details are available in their advisory:
http://www.skype.net/security/skype-sb-2005-03.html
 
 
Vendor response
===============
Skype advisory:
http://www.skype.com/security/skype-sb-2005-03.html

Disclosure timeline
===================
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available
 
 
Legal notices
=============
Copyright (c) 2005 EADS/CRC All rights reserved.
 
This EADS CRC Security Bulletin may be reproduced and
distributed, provided that the Bulletin is not modified in any
way, is attributed to EADS/CRC, and provided that reproduction
and distribution is performed for non-commercial purposes.
 
This EADS CRC Security Bulletin is provided to you on an "AS
IS" basis and may contain information provided by third
parties. EADS CRC makes no guarantees or warranties as to the
information contained herein.

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
 
Contact
=======
dcrstic.ccr <.a.t.> eads.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu. In the U.S., services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP.

[v.I.1]

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.

Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:195 - Updated squid packages fix vulnerabilities"
• Maybe in reply to: Q_EADS_CCR_DCR/STI/C?=: "[Full-disclosure] Skype security advisory"
• Next in thread: sk: "Re: [Full-disclosure] Skype security advisory"
• Reply: sk: "Re: [Full-disclosure] Skype security advisory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]