Title: ====== Skype VoIP v5.2.x & v5.3.x - Critical Pointer Vulnerability Date: ===== 2011-08-23 References: =========== http://www.vulnerability-lab.com/get_content.php?id=180 http://www.vulnerability-lab.com/news/get_news.php?id=26 VL-ID: ===== 180 Introduction: ============= Skype is a famous software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. In 2011 Microsoft bought the skype company & the software is now a official microsoft product. (Copy of the website: http://en.wikipedia.org/wiki/Skype) Abstract: ========= Vulnerability-Lab team discovered a critical Pointer Vulnerability on the Skype VoIP v5.2.x & v5.3.x Software. Report-Timeline: ================ 2011-07-02: Vendor Notification 2011-07-04: Vendor Response/Feedback 2011-07-24: Vendor Fix/Patch 2011-08-22: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A critical pointer vulnerability is located in the macosx & windows version of skype. The bug/vulnerability is located in 2 input forms of an uni-code http search request to the skype search directory server. The vulnerability allows an local attacker to crash the complete skype process via an unknown unhandled software exception(memory-corruption). The bug allows an local attacker also to overwrite or read a new adress(skype_debug2_win7_x64x.png). Vulnerable Module(s): [+] Input Mask - Geschäftsempfehlungen finden - Wo? & Was? Vulnerable: [+] MacOS v5.2.0.1523 [+] Windows (x32&x64) - v5.3.0.120 --- Violation Exception Log --- 0:034> g (f10.ed4): Unknown exception (first chance) (f10.ed4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c07ca54b ebx=a96959bc ecx=d8f10db2 edx=0000155f esi=d7263481 edi=3e294540 eip=25c50116 esp=37f91000 ebp=50601616 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 25c50116 cd01 int 1 0:000> !exchain 0018e8f8: Skype+8be3a0 (00cbe3a0) --- MacOS Exception Logs --- Process: Skype [61937] Path: /Applications/Skype.app/Contents/MacOS/ Skype Identifier: com.skype.skype Version: 2.8.0.851 (2.8.0.851) Code Type: X86 (Native) Parent Process: launchd [166] Date/Time: 2010-10-04 21:35:07.689 +0200 OS Version: Mac OS X 10.6.4 (10F569) Report Version: 6 Interval Since Last Report: 2972640 sec Crashes Since Last Report: 1118 Per-App Interval Since Last Report: 2630974 sec Per-App Crashes Since Last Report: 3 Anonymous UUID: 2DCE5869-9F5B-46AD-950A-2295F0CBFC3A Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Crashed Thread: 6 Analyses: [+] exception_log_osx.txt --- Windows Exception Logs --- 0:000> .exr 0xffffffffffffffff ExceptionAddress: 25c50116 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: ffffffff Attempt to read from address ffffffff 0:000> lmvm Skype start end module name 00400000 01d50000 Skype (no symbols) Loaded symbol image file: C: Program Files (x86) \\Skype\\ Phone\\ Skype.exe Image path: C: Program Files (x86)\\ \\Skype\\ \\Phone\\ Skype.exe Image name: Skype.exe Timestamp: Thu May 13 15:11:32 2010 (4BEBFA84) CheckSum: 01908D73 ImageSize: 01950000 File version: 4.2.0.169 Product version: 4.2.0.0 File flags: 8 (Mask 3F) Private File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04e4 CompanyName: Skype Technologies S.A. ProductName: Skype InternalName: Skype.exe OriginalFilename: Skype.exe ProductVersion: 4.2 FileVersion: 4.2.0.169 FileDescription: Skype LegalCopyright: (c) Skype Technologies S.A. 0:000> Pictures: ../1.png ../2.png ../skype_debug_win7_x64x.png ../skype_debug2_win7_x64x.png ../skype_error_mac_osx_x64x.tiff ../unhandled-exception_win7_x64.png Solution: ========= 2011-07-24: Vendor Fix/Patch - Skype decided to exclude the skype user directory 2011-06/2011.07 Risk: ===== The security risk of the local exploitable memory corruption vulnerability is estimated as high. Credits: ======== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers.