<<< Date Index >>>     <<< Thread Index >>>

[IP] Skype security





Begin forwarded message:

From: Nicolas Christin <nicolasc@xxxxxxxxx>
Date: October 25, 2005 9:19:01 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Subject: Skype security


[For IP if you wish]

Dear Prof. Farber,

In light of the recent discussion on the IP mailing list on Skype
security evaluation, I thought the following security advisory  was
quite interesting. This was posted this morning (Japan time) to a very
large audience consisting of several mailing-lists.

The gist of it is that a number of Skype versions seem to be
vulnerable to a single-packet attack. In short, running those versions
of Skype could potentially facilitate execution of arbitrary code on
your machine by a remote attacker. Details are included in the
advisory below.

The thing I find most interesting in this episode is that Skype has
diligently responded to the problem (on the same day they were
contacted by EADS), and issued patches within 8 days. I am still a
skeptic (and probably will remain one as long as they don't make their
protocols open), but I personally view this as a (very) positive sign.

Nicolas Christin

---------- Forwarded message ----------
From: . EADS CCR DCR/STI/C <dcrstic.ccr@xxxxxxxx>
Date: Oct 26, 2005 2:16 AM
Subject: Skype security advisory
To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,
vulndev@xxxxxxxxxxxxxxxxx


Synopsis
========

The EADS/CRC security team discovered a flaw  in  Skype  client.

Skype is a P2P VoIP software that can bypass firewalls  and  NAT
to connect to the Skype network. Skype is very  popular  because
of its sound quality and ease of use.

Skype client is available for Windows, Linux,  Mac  OS  X,   and
PocketPC.

A remotely exploitable flaw exists in  the  parser  of  packets.
Exploitation  is  possible  through  a  single    UDP    packet.


Impact
======

An attacker can  send  a  specially  crafted  packet  that  will
trigger a heap overflow condition and execute arbitrary code  on
the target. Hence, an attacker can  gain  full  control  of  the
target. Conversely to  what  is  written  in  Skype's  advisory,
remote code execution *is* possible.


Affected Versions
=================

Skype for Windows (including XP SP2 hosts):
All releases prior to and including 1.4.*.83

Skype for Mac OS X:
All releases prior to and including 1.3.*.16

Skype for Linux:
All releases prior to and including 1.2.*.17

Skype for Pocket PC:
All releases prior to and including 1.1.*.6


Description
===========

Skype uses several  data  formats.   Each  format  has  its  own
specific parser. Note that data format  will  not  be  described
here, for the sake of clarity. A specific encoding  is  used  to
store numbers, that will be referred  as  VLD  (Variable  Length
Data) in this advisory.

The data causing the overflow has the following format:
------------------------------------
| Object Counter*  | M objects     |
| M (VLD)          | (VLD)         |
------------------------------------
* The first number in the packet is the amount of forthcoming
objects.

The amount of memory allocated by the  parser  is  prone  to  an
integer wrap-around. The allocated  size  is  4*M.   Thus,   the
overflow occurs when M is greater than 0x40000000:  e. g.   when
M=0x40000010, HeapAlloc(0x40) is called, but  up  to  0x40000010
objects are effectively read in  the  packet  and  written  into
memory.

Since the attacker controls both M and all other objects in  the
packet, he can overwrite an  arbitrary  amount  of  memory  with
chosen values, thus easily  gaining  control  of  the  execution
flow.

The corresponding parsing code roughly translates in C as
following:

---------------------------------------------------------
// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);

unsigned int object_counter;
unsigned int i;
unsigned int * tab_objects;

// read object count (M)
if (get_vld(&object_counter)==0)
        fault();

// allocate memory to store sub-objects
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );
if (tab_objects ==NULL)
        fault();

// read and store M sub-objects
for (i=0;i<object_counter;i++)
{
        if (get_vld(&tab_objects[i])==0)
                fault();
}

return;
---------------------------------------------------------


Exploitation
============
We were able to  design  a  proof-of-concept  exploitation  code
targeting Windows XP SP2 and Linux clients using  a  single  UDP
packet.  Remote  exploitation  is  also  possible  through  TCP.

Due to favorable environmental conditions, this particular  heap
overflow *is* also exploitable on  heap-protected  systems  such
as Windows  XP  SP2  and  some  Linux  distributions.   This  is
possible because Skype stores function  pointers  in  the  heap,
and  those  pointers  can  be  overwritten  by  the    overflow.


Detection
=========
As Skype uses encryption mechanisms, it seems difficult for  any
IDS/IPS  to  be  able  to  detect   the    offensive    payload.


Solution
========
Skype has issued fixes. Details are available in their advisory:
http://www.skype.net/security/skype-sb-2005-03.html


Vendor response
===============
Skype advisory:
http://www.skype.com/security/skype-sb-2005-03.html

Disclosure timeline
===================
Oct 17 2005: EADS CRC contacted Skype Security Team
Oct 17 2005: Skype responded to EADS CRC
Oct 25 2005: new patched version available


Legal notices
=============
Copyright (c) 2005 EADS/CRC All rights reserved.

This  EADS  CRC  Security  Bulletin  may  be   reproduced    and
distributed, provided that the Bulletin is not modified  in  any
way, is attributed to EADS/CRC, and provided  that  reproduction
and  distribution  is  performed  for  non-commercial  purposes.

This EADS CRC Security Bulletin is provided to  you  on  an  "AS
IS"  basis  and  may  contain  information  provided  by   third
parties. EADS CRC makes no guarantees or warranties  as  to  the
information contained herein.

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,   INCLUDING  WITHOUT
LIMITATION  WARRANTIES  OF  MERCHANTABILITY,   FITNESS  FOR    A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.

Contact
=======
dcrstic.ccr <.a.t.> eads.net


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/