[Full-disclosure] Skype v5.6.59.x - Memory Corruption Vulnerability



Title:
======
Skype v5.6.59.x - Memory Corruption Vulnerability


Date:
=====
2012-02-17


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=315


VL-ID:
=====
315


Introduction:
=============
Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)


Abstract:
=========
The Vulnerability-Lab Team discovered a remote memory corruption vulnerability on Skypes v5.6.59.x for x64 Windows7 Acer Aspire 5738.


Report-Timeline:
================
2011-11-07: Vendor Notification
2011-11-09: Vendor Response/Feedback
2011-**-**: Vendor Fix/Patch
2012-02-17: Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A memory corruption vulnerability is detected on the windows client v5.6.59.10 (x64) of the skype software. The bug is located in
the software when processing special crafted transfers/communication processes from a linux v2.2.0.35(Beta) client to a
windows v5.6.59.10 client. The vulnerability allows the linux client user to crash the windows client on the remote way via freeze
when transfering. The execution of code is not possible via violation (read/write). The bug is only exploitable on Acer Aspire 5738
with Intel(R) Core(TM)2 Duo & windows 7 x64.

Vulnerable Module(s):
[+] File Transfer Linux v2.2.0.35(Beta) to Windows v5.6.59.10 Client

Verified on OS:
[+] Windows 7 - x64

Typus:
[+] Acer Aspire 5738

Processor:
[+] Intel(R) Core(TM)2 Duo - T6600 - 2x2.2 GHz

Affected OS version(s):
[+] Windows v5.6.59.10

Exploited via:
[+] Skype Linux v2.2.0.35(Beta)



--- Error Logs ---
Version=1
EventType=APPCRASH
EventTime=129649895429022825
ReportType=2
Consent=1
ReportIdentifier=d7d69494-07d7-11e1-be65-d0195a352fda
IntegratorReportIdentifier=d7d69493-07d7-11e1-be65-d0195a352fda
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Fehlermodulname
Sig[3].Value=Skype.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=5.6.59.110
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4e96c2e0
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00006042
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=aaf0
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=aaf0453a0e76af1ce0b9b95636592246
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=efcb
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=efcb736472e70e914b41ac4f1d53e9e7
UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe
UI[3]=Skype funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe
LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
LoadedModule[4]=C:\Windows\syswow64\oleaut32.dll
... ... ... ...
LoadedModule[180]=C:\Windows\system32\wpdshext.dll
LoadedModule[181]=C:\Windows\system32\IconCodecService.dll
LoadedModule[182]=C:\Windows\SysWOW64\PhotoMetadataHandler.dll
LoadedModule[183]=C:\Windows\system32\dbghelp.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe
----------
Version=1
EventType=APPCRASH
EventTime=129685086822704807
ReportType=2
Consent=1
ReportIdentifier=7a5bbde2-27d9-11e1-9554-bcffd2dbaec5
IntegratorReportIdentifier=7a5bbde1-27d9-11e1-9554-bcffd2dbaec5
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Fehlermodulname
Sig[3].Value=KERNELBASE.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=6.1.7601.17651
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4e211319
Sig[6].Name=Ausnahmecode
Sig[6].Value=0eedfade
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=0000b9bc
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=9c3f
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=9c3f13414b612a2f01f04d72e638661d
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=9593
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=9593e76fac7cc42272b758abf7e20813
UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe
UI[3]=Skype funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ... ... ...
LoadedModule[151]=C:\Windows\system32\midimap.dll
LoadedModule[152]=C:\Windows\system32\windowscodecsext.dll
LoadedModule[153]=C:\Windows\System32\msxml6.dll
LoadedModule[154]=C:\Windows\system32\RICHED20.DLL
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe
----------
Version=1
EventType=AppHangB1
EventTime=129654326637535437
ReportType=3
Consent=1
UploadTime=129654326746731683
ReportIdentifier=906ac8aa-0bdf-11e1-a657-b0833c3dd7a7
IntegratorReportIdentifier=906ac8ab-0bdf-11e1-a657-b0833c3dd7a7
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Absturzsignatur
Sig[3].Value=b5a1
Sig[4].Name=Absturztyp
Sig[4].Value=0
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusätzliche Absturzsignatur 1
DynamicSig[22].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[23].Name=Zusätzliche Absturzsignatur 2
DynamicSig[23].Value=7686
DynamicSig[24].Name=Zusätzliche Absturzsignatur 3
DynamicSig[24].Value=7686072c74c9a617ba4768ad2d5f43fa
DynamicSig[25].Name=Zusätzliche Absturzsignatur 4
DynamicSig[25].Value=b5a1
DynamicSig[26].Name=Zusätzliche Absturzsignatur 5
DynamicSig[26].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[27].Name=Zusätzliche Absturzsignatur 6
DynamicSig[27].Value=7686
DynamicSig[28].Name=Zusätzliche Absturzsignatur 7
DynamicSig[28].Value=7686072c74c9a617ba4768ad2d5f43fa
UI[3]=Skype reagiert nicht
UI[4]=Windows kann online nach einer Lösung suchen. Wenn Sie das Programm schließen, gehen ggf. Informationen verloren.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe
... ... ... ...
LoadedModule[150]=C:\Windows\system32\midimap.dll
LoadedModule[151]=C:\Windows\system32\RICHED20.DLL
LoadedModule[152]=C:\Windows\system32\dbghelp.dll
FriendlyEventName=Beendet und geschlossen.
ConsentKey=AppHangXProcB1
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe
ReportDescription=Aufgrund eines Problems kann dieses Programm nicht mehr mit Windows kommunizieren.



Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
../9.png
../10.png


Proof of Concept:
=================
The vulnerability can be exploited by remote attackers with low required user inter action (accept).
Successful exploitation requires to accept a file transfer (user inter action) or receive messages & information.
For demonstration or reproduce ...

Manually ...
=> Install Skype Linux v2.2.0.35(Beta) Software
=> Login to Skype Linux v2.2.0.35(Beta)
=> Choose a userfrom your list with a Windows v5.6.59.10 x64 user client with a Acer Aspire 5738
=> Send the file or startup a text conversation to the skype v5.6.59.10 on a windows 7 x64 user client with a Acer Aspire 5738
=> Results in a stable memory corruption!


Note:
Successful exploitation results in a software and context freeze/crash + exception message violation read/write.
We reproduced the bug in 4 of 11 sendings. On 2 different windows 7 (x64) systems.
We tested the issue on 2 notebooks with the same typus - acer aspire 5738 - Intel(R) Core(TM)2 Duo (T6600 - 2x2.2 GHz) - x64 Windows 7.


Reference(s):
../AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_2056ac14
../AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_15c9ffad
../AppHang_Skype.exe_875f53822d85cc7ef3b7ee45a91220cfa96f2093_158aef59
../AppCrash_Skype.exe_aba333e0633c88bbbcd3934580eb7d3ddde7f5fb_0ba0367c
../debug-20111026-2046.trace.txt
../debug-20111102-1530.log
../Skype.DMP

Attack Scheme(s):
../skype(memory2).png


Risk:
=====
The security risk of the remote corruption vulnerability is estimated as high(-).


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) & Alexander Fuchs (f0x23)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

Copyright © 2012|Vulnerability-Lab

--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx or support@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/