Synopsis 
======== 
 
The EADS/CRC security team discovered a flaw  in  Skype  client.

Skype is a P2P VoIP software that can bypass firewalls  and  NAT
to connect to the Skype network. Skype is very  popular  because
of its sound quality and ease of use.

Skype client is available for Windows, Linux,  Mac  OS  X,   and
PocketPC.

A remotely exploitable flaw exists in  the  parser  of  packets.
Exploitation  is  possible  through  a  single    UDP    packet.


Impact
======
 
An attacker can  send  a  specially  crafted  packet  that  will
trigger a heap overflow condition and execute arbitrary code  on
the target. Hence, an attacker can  gain  full  control  of  the
target. Conversely to  what  is  written  in  Skype's  advisory,
remote code execution *is* possible. 


Affected Versions 
================= 
 
Skype for Windows (including XP SP2 hosts): 
All releases prior to and including 1.4.*.83 
 
Skype for Mac OS X: 
All releases prior to and including 1.3.*.16 
 
Skype for Linux: 
All releases prior to and including 1.2.*.17 
 
Skype for Pocket PC: 
All releases prior to and including 1.1.*.6 
 

Description 
=========== 
 
Skype uses several  data  formats.   Each  format  has  its  own
specific parser. Note that data format  will  not  be  described
here, for the sake of clarity. A specific encoding  is  used  to
store numbers, that will be referred  as  VLD  (Variable  Length
Data) in this advisory.

The data causing the overflow has the following format:
------------------------------------ 
| Object Counter*  | M objects     | 
| M (VLD)          | (VLD)         | 
------------------------------------ 
* The first number in the packet is the amount of forthcoming 
objects. 
 
The amount of memory allocated by the  parser  is  prone  to  an
integer wrap-around. The allocated  size  is  4*M.   Thus,   the
overflow occurs when M is greater than 0x40000000:  e. g.   when
M=0x40000010, HeapAlloc(0x40) is called, but  up  to  0x40000010
objects are effectively read in  the  packet  and  written  into
memory.

Since the attacker controls both M and all other objects in  the
packet, he can overwrite an  arbitrary  amount  of  memory  with
chosen values, thus easily  gaining  control  of  the  execution
flow. 

The corresponding parsing code roughly translates in C as 
following: 
 
--------------------------------------------------------- 
// read a VLD from input stream 
// return 0 on error 
int get_vld(unsigned int*); 
 
unsigned int object_counter; 
unsigned int i; 
unsigned int * tab_objects; 
 
// read object count (M) 
if (get_vld(&object_counter)==0) 
        fault(); 
 
// allocate memory to store sub-objects 
tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); 
if (tab_objects ==NULL) 
        fault(); 
 
// read and store M sub-objects 
for (i=0;i<object_counter;i++) 
{ 
        if (get_vld(&tab_objects[i])==0) 
                fault(); 
} 
 
return; 
--------------------------------------------------------- 


Exploitation 
============ 
We were able to  design  a  proof-of-concept  exploitation  code
targeting Windows XP SP2 and Linux clients using  a  single  UDP
packet.  Remote  exploitation  is  also  possible  through  TCP.

Due to favorable environmental conditions, this particular  heap
overflow *is* also exploitable on  heap-protected  systems  such
as Windows  XP  SP2  and  some  Linux  distributions.   This  is
possible because Skype stores function  pointers  in  the  heap,
and  those  pointers  can  be  overwritten  by  the    overflow.
 
 
Detection 
========= 
As Skype uses encryption mechanisms, it seems difficult for  any
IDS/IPS  to  be  able  to  detect   the    offensive    payload.

 
Solution 
========
Skype has issued fixes. Details are available in their advisory: 
http://www.skype.net/security/skype-sb-2005-03.html 
 
 
Vendor response 
=============== 
Skype advisory: 
http://www.skype.com/security/skype-sb-2005-03.html 

Disclosure timeline 
=================== 
Oct 17 2005: EADS CRC contacted Skype Security Team 
Oct 17 2005: Skype responded to EADS CRC 
Oct 25 2005: new patched version available 
 
 
Legal notices 
============= 
Copyright (c) 2005 EADS/CRC All rights reserved. 
 
This  EADS  CRC  Security  Bulletin  may  be   reproduced    and
distributed, provided that the Bulletin is not modified  in  any
way, is attributed to EADS/CRC, and provided  that  reproduction
and  distribution  is  performed  for  non-commercial  purposes.
 
This EADS CRC Security Bulletin is provided to  you  on  an  "AS
IS"  basis  and  may  contain  information  provided  by   third
parties. EADS CRC makes no guarantees or warranties  as  to  the
information contained herein. 

ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,   INCLUDING  WITHOUT
LIMITATION  WARRANTIES  OF  MERCHANTABILITY,   FITNESS  FOR    A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.  
 
Contact 
======= 
dcrstic.ccr <.a.t.> eads.net