i didnt test it myself, but since UDP is a connectionless protocol i suspect it works without any user interaction.
- sk http://www.groundzero-security.com ----- Original Message ----- From: "Brown, Bobby (US - Hermitage)" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, October 26, 2005 9:53 PM Subject: RE: [Full-disclosure] Skype security advisory > I have the question, can the exploit be perform with no interaction of the user other than having the program running waiting for a connection or is it only valid after a user accepted a connection and then the flaw is exploited? > > BB > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of . EADS CCR DCR/STI/C > Sent: Tuesday, October 25, 2005 12:17 PM > To: [email protected]; [email protected]; [EMAIL PROTECTED] > Subject: [Full-disclosure] Skype security advisory > > Synopsis > ======== > > The EADS/CRC security team discovered a flaw in Skype client. > > Skype is a P2P VoIP software that can bypass firewalls and NAT > to connect to the Skype network. Skype is very popular because > of its sound quality and ease of use. > > Skype client is available for Windows, Linux, Mac OS X, and > PocketPC. > > A remotely exploitable flaw exists in the parser of packets. > Exploitation is possible through a single UDP packet. > > > Impact > ====== > > An attacker can send a specially crafted packet that will > trigger a heap overflow condition and execute arbitrary code on > the target. Hence, an attacker can gain full control of the > target. Conversely to what is written in Skype's advisory, > remote code execution *is* possible. > > > Affected Versions > ================= > > Skype for Windows (including XP SP2 hosts): > All releases prior to and including 1.4.*.83 > > Skype for Mac OS X: > All releases prior to and including 1.3.*.16 > > Skype for Linux: > All releases prior to and including 1.2.*.17 > > Skype for Pocket PC: > All releases prior to and including 1.1.*.6 > > > Description > =========== > > Skype uses several data formats. Each format has its own > specific parser. Note that data format will not be described > here, for the sake of clarity. A specific encoding is used to > store numbers, that will be referred as VLD (Variable Length > Data) in this advisory. > > The data causing the overflow has the following format: > ------------------------------------ > | Object Counter* | M objects | > | M (VLD) | (VLD) | > ------------------------------------ > * The first number in the packet is the amount of forthcoming > objects. > > The amount of memory allocated by the parser is prone to an > integer wrap-around. The allocated size is 4*M. Thus, the > overflow occurs when M is greater than 0x40000000: e. g. when > M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010 > objects are effectively read in the packet and written into > memory. > > Since the attacker controls both M and all other objects in the > packet, he can overwrite an arbitrary amount of memory with > chosen values, thus easily gaining control of the execution > flow. > > The corresponding parsing code roughly translates in C as > following: > > --------------------------------------------------------- > // read a VLD from input stream > // return 0 on error > int get_vld(unsigned int*); > > unsigned int object_counter; > unsigned int i; > unsigned int * tab_objects; > > // read object count (M) > if (get_vld(&object_counter)==0) > fault(); > > // allocate memory to store sub-objects > tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); > if (tab_objects ==NULL) > fault(); > > // read and store M sub-objects > for (i=0;i<object_counter;i++) > { > if (get_vld(&tab_objects[i])==0) > fault(); > } > > return; > --------------------------------------------------------- > > > Exploitation > ============ > We were able to design a proof-of-concept exploitation code > targeting Windows XP SP2 and Linux clients using a single UDP > packet. Remote exploitation is also possible through TCP. > > Due to favorable environmental conditions, this particular heap > overflow *is* also exploitable on heap-protected systems such > as Windows XP SP2 and some Linux distributions. This is > possible because Skype stores function pointers in the heap, > and those pointers can be overwritten by the overflow. > > > Detection > ========= > As Skype uses encryption mechanisms, it seems difficult for any > IDS/IPS to be able to detect the offensive payload. > > > Solution > ======== > Skype has issued fixes. Details are available in their advisory: > http://www.skype.net/security/skype-sb-2005-03.html > > > Vendor response > =============== > Skype advisory: > http://www.skype.com/security/skype-sb-2005-03.html > > Disclosure timeline > =================== > Oct 17 2005: EADS CRC contacted Skype Security Team > Oct 17 2005: Skype responded to EADS CRC > Oct 25 2005: new patched version available > > > Legal notices > ============= > Copyright (c) 2005 EADS/CRC All rights reserved. > > This EADS CRC Security Bulletin may be reproduced and > distributed, provided that the Bulletin is not modified in any > way, is attributed to EADS/CRC, and provided that reproduction > and distribution is performed for non-commercial purposes. > > This EADS CRC Security Bulletin is provided to you on an "AS > IS" basis and may contain information provided by third > parties. EADS CRC makes no guarantees or warranties as to the > information contained herein. > > ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT > LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A > PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. > > Contact > ======= > dcrstic.ccr <.a.t.> eads.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > About Deloitte > > > Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. > > > Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu. In the U.S., services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. > > > > [v.I.1] > > > This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. > > > Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1] > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
