From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Tue, 25 Oct 2005 20:44:07 +0300 From: Michael Shigorin To: smoke-room@altlinux.ru Message-ID: <20051025174407.GR9804@osdn.org.ua> Mail-Followup-To: smoke-room@altlinux.ru Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: Subject: [room] Fwd: Skype security advisory X-BeenThere: smoke-room@lists.altlinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: shigorin@gmail.com, =?koi8-r?b?y9XM2NTV0s7ZyiDPxtTP0MnL?= List-Id: =?koi8-r?b?y9XM2NTV0s7ZyiDPxtTP0MnL?= List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 17:44:23 -0000 Archived-At: List-Archive: FYI ----- Forwarded message from ". EADS CCR DCR/STI/C" ----- Date: Tue, 25 Oct 2005 19:16:38 +0200 From: . EADS CCR DCR/STI/C To: , , Subject: Skype security advisory Synopsis ======== The EADS/CRC security team discovered a flaw in Skype client. Skype is a P2P VoIP software that can bypass firewalls and NAT to connect to the Skype network. Skype is very popular because of its sound quality and ease of use. Skype client is available for Windows, Linux, Mac OS X, and PocketPC. A remotely exploitable flaw exists in the parser of packets. Exploitation is possible through a single UDP packet. Impact ====== An attacker can send a specially crafted packet that will trigger a heap overflow condition and execute arbitrary code on the target. Hence, an attacker can gain full control of the target. Conversely to what is written in Skype's advisory, remote code execution *is* possible. Affected Versions ================= Skype for Windows (including XP SP2 hosts): All releases prior to and including 1.4.*.83 Skype for Mac OS X: All releases prior to and including 1.3.*.16 Skype for Linux: All releases prior to and including 1.2.*.17 Skype for Pocket PC: All releases prior to and including 1.1.*.6 Description =========== Skype uses several data formats. Each format has its own specific parser. Note that data format will not be described here, for the sake of clarity. A specific encoding is used to store numbers, that will be referred as VLD (Variable Length Data) in this advisory. The data causing the overflow has the following format: ------------------------------------ | Object Counter* | M objects | | M (VLD) | (VLD) | ------------------------------------ * The first number in the packet is the amount of forthcoming objects. The amount of memory allocated by the parser is prone to an integer wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010 objects are effectively read in the packet and written into memory. Since the attacker controls both M and all other objects in the packet, he can overwrite an arbitrary amount of memory with chosen values, thus easily gaining control of the execution flow. The corresponding parsing code roughly translates in C as following: --------------------------------------------------------- // read a VLD from input stream // return 0 on error int get_vld(unsigned int*); unsigned int object_counter; unsigned int i; unsigned int * tab_objects; // read object count (M) if (get_vld(&object_counter)==0) fault(); // allocate memory to store sub-objects tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); if (tab_objects ==NULL) fault(); // read and store M sub-objects for (i=0;i eads.net ----- End forwarded message ----- -- ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/