Cd Chen's Services

今天收到一個朋友的來信，信中提到 Skype 被發現有嚴重的安全漏洞。有安裝 Skype 的朋友，記得更新一下!!

以下轉錄原信件內容：

Synopsis
========

The EADS/CRC security team discovered a flaw in Skype client.

Skype is a P2P VoIP software that can bypass firewalls and NAT
to connect to the Skype network. Skype is very popular because
of its sound quality and ease of use.

Skype client is available for Windows, Linux, Mac OS X, and
PocketPC.

A remotely exploitable flaw exists in the parser of packets.
Exploitation is possible through a single UDP packet.

Impact
======

An attacker can send a specially crafted packet that will
trigger a heap overflow condition and execute arbitrary code on
the target. Hence, an attacker can gain full control of the
target. Conversely to what is written in Skype's advisory,
remote code execution *is* possible.

Affected Versions
=================

Skype for Windows (including XP SP2 hosts):
All releases prior to and including 1.4.*.83

Skype for Mac OS X:
All releases prior to and including 1.3.*.16

Skype for Linux:
All releases prior to and including 1.2.*.17

Skype for Pocket PC:
All releases prior to and including 1.1.*.6

Description
===========

Skype uses several data formats. Each format has its own
specific parser. Note that data format will not be described
here, for the sake of clarity. A specific encoding is used to
store numbers, that will be referred as VLD (Variable Length
Data) in this advisory.

The data causing the overflow has the following format:

------------------------------------
| Object Counter*  | M objects     |
| M (VLD)          | (VLD)         |
------------------------------------

* The first number in the packet is the amount of forthcoming
objects.

The amount of memory allocated by the parser is prone to an
integer wrap-around. The allocated size is 4*M. Thus, the
overflow occurs when M is greater than 0x40000000: e. g. when
M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010
objects are effectively read in the packet and written into
memory.

Since the attacker controls both M and all other objects in the
packet, he can overwrite an arbitrary amount of memory with
chosen values, thus easily gaining control of the execution
flow.

The corresponding parsing code roughly translates in C as
following:

---

// read a VLD from input stream
// return 0 on error
int get_vld(unsigned int*);

unsigned int object_counter;

unsigned int i;

unsigned int * tab_objects;

// read object count (M)

if (get_vld(&object_counter)==0)

         fault();

// allocate memory to store sub-objects

tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter );

if (tab_objects ==NULL)

         fault();

// read and store M sub-objects

for (i=0;i
{

         if (get_vld(&tab_objects[i])==0)

                 fault();

}

return;

---

Exploitation

============

We were able to design a proof-of-concept exploitation code

targeting Windows XP SP2 and Linux clients using a single UDP

packet. Remote exploitation is also possible through TCP.

Due to favorable environmental conditions, this particular heap

overflow *is* also exploitable on heap-protected systems such

as Windows XP SP2 and some Linux distributions. This is

possible because Skype stores function pointers in the heap,

and those pointers can be overwritten by the overflow.

Detection

=========

As Skype uses encryption mechanisms, it seems difficult for any

IDS/IPS to be able to detect the offensive payload.

Solution

========

Skype has issued fixes. Details are available in their advisory:

http://www.skype.net/security/skype-sb-2005-03.html

Vendor response

===============

Skype advisory:

http://www.skype.com/security/skype-sb-2005-03.html

Disclosure timeline

===================

Oct 17 2005: EADS CRC contacted Skype Security Team

Oct 17 2005: Skype responded to EADS CRC

Oct 25 2005: new patched version available

Legal notices

=============

Copyright (c) 2005 EADS/CRC All rights reserved.

This EADS CRC Security Bulletin may be reproduced and

distributed, provided that the Bulletin is not modified in any

way, is attributed to EADS/CRC, and provided that reproduction

and distribution is performed for non-commercial purposes.

This EADS CRC Security Bulletin is provided to you on an "AS

IS" basis and may contain information provided by third

parties. EADS CRC makes no guarantees or warranties as to the

information contained herein.

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT

LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.

Contact

=======

dcrstic.ccr <a.t.> eads.net