Title: ====== Skype v5.6.59.x - Memory Corruption Vulnerability Date: ===== 2012-02-17 References: =========== http://www.vulnerability-lab.com/get_content.php?id=315 VL-ID: ===== 315 Introduction: ============= Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: ========= The Vulnerability-Lab Team discovered a remote memory corruption vulnerability on Skypes v5.6.59.x for x64 Windows7 Acer Aspire 5738. Report-Timeline: ================ 2011-11-07: Vendor Notification 2011-11-09: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2012-02-17: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A memory corruption vulnerability is detected on the windows client v5.6.59.10 (x64) of the skype software. The bug is located in the software when processing special crafted transfers/communication processes from a linux v2.2.0.35(Beta) client to a windows v5.6.59.10 client. The vulnerability allows the linux client user to crash the windows client on the remote way via freeze when transfering. The execution of code is not possible via violation (read/write). The bug is only exploitable on Acer Aspire 5738 with Intel(R) Core(TM)2 Duo & windows 7 x64. Vulnerable Module(s): [+] File Transfer Linux v2.2.0.35(Beta) to Windows v5.6.59.10 Client Verified on OS: [+] Windows 7 - x64 Typus: [+] Acer Aspire 5738 Processor: [+] Intel(R) Core(TM)2 Duo - T6600 - 2x2.2 GHz Affected OS version(s): [+] Windows v5.6.59.10 Exploited via: [+] Skype Linux v2.2.0.35(Beta) --- Error Logs --- Version=1 EventType=APPCRASH EventTime=129649895429022825 ReportType=2 Consent=1 ReportIdentifier=d7d69494-07d7-11e1-be65-d0195a352fda IntegratorReportIdentifier=d7d69493-07d7-11e1-be65-d0195a352fda WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Skype.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.6.59.110 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4e96c2e0 Sig[3].Name=Fehlermodulname Sig[3].Value=Skype.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=5.6.59.110 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4e96c2e0 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00006042 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=aaf0 DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=aaf0453a0e76af1ce0b9b95636592246 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=efcb DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=efcb736472e70e914b41ac4f1d53e9e7 UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe UI[3]=Skype funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll LoadedModule[2]=C:\Windows\syswow64\kernel32.dll LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll LoadedModule[4]=C:\Windows\syswow64\oleaut32.dll ... ... ... ... LoadedModule[180]=C:\Windows\system32\wpdshext.dll LoadedModule[181]=C:\Windows\system32\IconCodecService.dll LoadedModule[182]=C:\Windows\SysWOW64\PhotoMetadataHandler.dll LoadedModule[183]=C:\Windows\system32\dbghelp.dll FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Skype AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe ---------- Version=1 EventType=APPCRASH EventTime=129685086822704807 ReportType=2 Consent=1 ReportIdentifier=7a5bbde2-27d9-11e1-9554-bcffd2dbaec5 IntegratorReportIdentifier=7a5bbde1-27d9-11e1-9554-bcffd2dbaec5 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Skype.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.6.59.110 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4e96c2e0 Sig[3].Name=Fehlermodulname Sig[3].Value=KERNELBASE.dll Sig[4].Name=Fehlermodulversion Sig[4].Value=6.1.7601.17651 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4e211319 Sig[6].Name=Ausnahmecode Sig[6].Value=0eedfade Sig[7].Name=Ausnahmeoffset Sig[7].Value=0000b9bc DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=9c3f DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=9c3f13414b612a2f01f04d72e638661d DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=9593 DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=9593e76fac7cc42272b758abf7e20813 UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe UI[3]=Skype funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen ... ... ... ... LoadedModule[151]=C:\Windows\system32\midimap.dll LoadedModule[152]=C:\Windows\system32\windowscodecsext.dll LoadedModule[153]=C:\Windows\System32\msxml6.dll LoadedModule[154]=C:\Windows\system32\RICHED20.DLL FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Skype AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe ---------- Version=1 EventType=AppHangB1 EventTime=129654326637535437 ReportType=3 Consent=1 UploadTime=129654326746731683 ReportIdentifier=906ac8aa-0bdf-11e1-a657-b0833c3dd7a7 IntegratorReportIdentifier=906ac8ab-0bdf-11e1-a657-b0833c3dd7a7 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Skype.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.6.59.110 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4e96c2e0 Sig[3].Name=Absturzsignatur Sig[3].Value=b5a1 Sig[4].Name=Absturztyp Sig[4].Value=0 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusätzliche Absturzsignatur 1 DynamicSig[22].Value=b5a13949296de5a80b34b6b3ed655f0d DynamicSig[23].Name=Zusätzliche Absturzsignatur 2 DynamicSig[23].Value=7686 DynamicSig[24].Name=Zusätzliche Absturzsignatur 3 DynamicSig[24].Value=7686072c74c9a617ba4768ad2d5f43fa DynamicSig[25].Name=Zusätzliche Absturzsignatur 4 DynamicSig[25].Value=b5a1 DynamicSig[26].Name=Zusätzliche Absturzsignatur 5 DynamicSig[26].Value=b5a13949296de5a80b34b6b3ed655f0d DynamicSig[27].Name=Zusätzliche Absturzsignatur 6 DynamicSig[27].Value=7686 DynamicSig[28].Name=Zusätzliche Absturzsignatur 7 DynamicSig[28].Value=7686072c74c9a617ba4768ad2d5f43fa UI[3]=Skype reagiert nicht UI[4]=Windows kann online nach einer Lösung suchen. Wenn Sie das Programm schließen, gehen ggf. Informationen verloren. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe ... ... ... ... LoadedModule[150]=C:\Windows\system32\midimap.dll LoadedModule[151]=C:\Windows\system32\RICHED20.DLL LoadedModule[152]=C:\Windows\system32\dbghelp.dll FriendlyEventName=Beendet und geschlossen. ConsentKey=AppHangXProcB1 AppName=Skype AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe ReportDescription=Aufgrund eines Problems kann dieses Programm nicht mehr mit Windows kommunizieren. Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png ../8.png ../9.png ../10.png Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low required user inter action (accept). Successful exploitation requires to accept a file transfer (user inter action) or receive messages & information. For demonstration or reproduce ... Manually ... => Install Skype Linux v2.2.0.35(Beta) Software => Login to Skype Linux v2.2.0.35(Beta) => Choose a userfrom your list with a Windows v5.6.59.10 x64 user client with a Acer Aspire 5738 => Send the file or startup a text conversation to the skype v5.6.59.10 on a windows 7 x64 user client with a Acer Aspire 5738 => Results in a stable memory corruption! Note: Successful exploitation results in a software and context freeze/crash + exception message violation read/write. We reproduced the bug in 4 of 11 sendings. On 2 different windows 7 (x64) systems. We tested the issue on 2 notebooks with the same typus - acer aspire 5738 - Intel(R) Core(TM)2 Duo (T6600 - 2x2.2 GHz) - x64 Windows 7. Reference(s): ../AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_2056ac14 ../AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_15c9ffad ../AppHang_Skype.exe_875f53822d85cc7ef3b7ee45a91220cfa96f2093_158aef59 ../AppCrash_Skype.exe_aba333e0633c88bbbcd3934580eb7d3ddde7f5fb_0ba0367c ../debug-20111026-2046.trace.txt ../debug-20111102-1530.log ../Skype.DMP Attack Scheme(s): ../skype(memory2).png Risk: ===== The security risk of the remote corruption vulnerability is estimated as high(-). Credits: ======== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) & Alexander Fuchs (f0x23) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com