Www.edup.tudelft.nl/~bjwever/advisory skype.html.php

From Skypher

Jump to: navigation, search
← Back to www.edup.tudelft.nl/~bjwever/
Warning
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.

Skype callto:// URI handler BoF remote compromise

Vulnerability

Skype reported they've found a remotely exploitable BoF in the callto:// URI handler.

The bufferoverflow happens when a skype user clicks on a "callto://username" link with a username longer then 4096 characters that does not exist: An error message is created and put into a buffer without correct size checks. The errormessage and buffer are unicode but unicode characters are filtered out and replaced with '?'. Only printable ascii characters seem to get through. A return address can be overwritten as well as the SEH. Exploitation is complicated by the fact that return addresses have to be in range 0x00??00??.

Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit it, one could send a skype user a callto:// link in a private message and trick him/her into clicking it.

If one would want to, one could write a skype worm with this. User interaction would be required: they'd have to click the link.

Affected versions

The problem exists in Skype 1.0.0.* prior to 1.0.0.100

Patch

Available at vendors website.

Retrieved from "http://www.skypher.com/wiki/index.php/Www.edup.tudelft.nl/%7Ebjwever/advisory_skype.html.php"
Personal tools