The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Skype Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.skype.net/> Skype is a little program for making free calls
over the internet to anyone else who also has Skype." Lack of proper user
input validation and size checking of UDP Packets allows attackers to
execute arbitrary code by exploiting a buffer overflow in Skype.
DETAILS
Vulnerable Systems:
* Skype for Windows (including XP SP2 hosts) version 1.4.*.83 and prior
* Skype for Mac OS X version 1.3.*.16 and prior
* Skype for Linux version 1.2.*.17 and prior
* Skype for Pocket PC version 1.1.*.6 and prior
Skype uses several data formats. Each format has its own specific
parser. A specific encoding is used to store numbers, that will be
referred as VLD (Variable Length Data).
The data causing the overflow has the following format:
------------------------------------
| Object Counter* | M objects |
| M (VLD) | (VLD) |
------------------------------------
* The first number in the packet is the amount of forthcoming objects.
The amount of memory allocated by the parser is prone to an integer
wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M
is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is
called, but up to 0x40000010 objects are effectively read in the packet
and written into memory.
Since the attacker controls both M and all other objects in the packet, he
can overwrite an arbitrary amount of memory with chosen values, thus
easily gaining control of the execution flow.
The corresponding parsing code roughly translates in C as following:
// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);
unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;
// read object count (M)
if (get_vld(&object_counter)==0)
fault();
// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
fault();
// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
if (get_vld(&tab_objects[i])==0)
fault();
}
return;
Due to the favorable environmental conditions, this particular heap
overflow is also exploitable on heap-protected systems such as Windows XP
SP2 and some Linux distributions. This is possible because Skype stores
function pointers in the heap, and those pointers can be overwritten by
the overflow.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3267>
CVE-2005-3267
Disclosure Timeline:
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available
ADDITIONAL INFORMATION
The information has been provided by <mailto:dcrstic.ccr@eads.net> EADS
CCR DCR/STI/C.
The vendor advisory can be found at:
<http://www.skype.net/security/skype-sb-2005-03.html>
http://www.skype.net/security/skype-sb-2005-03.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
