[NEWS] Skype Buffer Overflow

• Previous message: SecuriTeam: "[UNIX] chmlib CHM File Handling Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 Oct 2005 08:54:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Skype Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://www.skype.net/> Skype is a little program for making free calls
over the internet to anyone else who also has Skype." Lack of proper user
input validation and size checking of UDP Packets allows attackers to
execute arbitrary code by exploiting a buffer overflow in Skype.

DETAILS

Vulnerable Systems:
 * Skype for Windows (including XP SP2 hosts) version 1.4.*.83 and prior
 * Skype for Mac OS X version 1.3.*.16 and prior
 * Skype for Linux version 1.2.*.17 and prior
 * Skype for Pocket PC version 1.1.*.6 and prior

Skype uses several data formats. Each format has its own specific
parser. A specific encoding is used to store numbers, that will be
referred as VLD (Variable Length Data).

The data causing the overflow has the following format:
------------------------------------
| Object Counter* | M objects |
| M (VLD) | (VLD) |
------------------------------------
* The first number in the packet is the amount of forthcoming objects.

The amount of memory allocated by the parser is prone to an integer
wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M
is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is
called, but up to 0x40000010 objects are effectively read in the packet
and written into memory.

Since the attacker controls both M and all other objects in the packet, he
can overwrite an arbitrary amount of memory with chosen values, thus
easily gaining control of the execution flow.

The corresponding parsing code roughly translates in C as following:

// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);
 
unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;
 
// read object count (M)
if (get_vld(&object_counter)==0)
        fault();
 
// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
        fault();
 
// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
        if (get_vld(&tab_objects[i])==0)
                fault();
}
 
return;

Due to the favorable environmental conditions, this particular heap
overflow is also exploitable on heap-protected systems such as Windows XP
SP2 and some Linux distributions. This is possible because Skype stores
function pointers in the heap, and those pointers can be overwritten by
the overflow.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3267>
CVE-2005-3267

Disclosure Timeline:
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available

ADDITIONAL INFORMATION

The information has been provided by <mailto:dcrstic.ccr@eads.net> EADS
CCR DCR/STI/C.
The vendor advisory can be found at:
<http://www.skype.net/security/skype-sb-2005-03.html>
http://www.skype.net/security/skype-sb-2005-03.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] chmlib CHM File Handling Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Skype URI Handler Command Switch Parsing ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Skype client, ... Exploitation occurs when the victim opens the exploit URI in Internet ... This requires the victim to visit a website under the attackers ... (Securiteam) [NT] Skype skype4com URI Handler Remote Heap Corruption Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Skype skype4com URI Handler Remote Heap Corruption Vulnerability ... (Securiteam) [UNIX] Skype Linux Insecure Temporary File Creation ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Skype for Linux versions 1.1.0.20 and prior ... Each user has his own profile which can be personalized with a picture. ... (Securiteam) [NT] HP Radia Notify Daemon Multiple Buffer Overflows ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... RADEXECD process with parameters of a greater length than the buffer used ... structures, executes the target process, and waits for it to terminate. ... text:0040619E call _strcpy; overflow here ... (Securiteam) [NT] Winamp ID3v2 Buffer Overflow ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer overflow vulnerability when processing ... control the EAX register, ... (Securiteam)