Document Title: =============== Skype v5.3.x - Transfer Buffer Overflow Vulnerability x64 References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=183 Release Date: ============= 2011-10-15 Vulnerability Laboratory ID (VL-ID): ==================================== 183 Product & Service Introduction: =============================== Skype ist eine kostenlose VoIP-Software mit Instant-Messaging-Funktion, Dateiübertragung und Videotelefonie, die ein proprietäres Protokoll verwendet. Sie ermöglicht das kostenlose Telefonieren zwischen Skype-Kunden via Internet sowie das gebührenpflichtige Telefonieren ins Festnetz und zu Mobiltelefonen (SkypeOut). Internettelefonate mit Kunden anderer Anbieter sind nicht möglich. Der ebenfalls gebührenpflichtige Dienst SkypeIn ermöglicht es, auch Anrufe aus dem herkömmlichen Telefonnetz entgegenzunehmen; solche Online-Nummern lassen sich für 25 Länder kaufen, ohne zwar physisch in diesen Ländern anwesend zu sein, jedoch rechtlich meist notwendigerweise einen Wohnsitz dort zu haben (bspw. Deutschland). In der aktuellen Version für Windows und Mac sind Konferenzschaltungen mit bis zu 25 Gesprächsteilnehmern möglich. (Copy of the Vendor Homepage: http://de.wikipedia.org/wiki/Skype) Abstract Advisory Information: ============================== Vulnerability-Lab team discovered a stable remote Buffer Overflow Vulnerability on Skypes Software v5.3.x for windows 7. Vulnerability Disclosure Timeline: ================================== 2011-06-08: Vendor Notification 2011-06-09: Vendor Response/Feedback 2011-09-17: Vendor reproduce not successful! 2011-10-16: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Microsoft Corp. Product: Skype - Software Client 5.5.0.113 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An buffer overflow vulnerability is detected on the windows version of skype. The Bug comes up when transfering files out of a unavailable stand-by mode on the system. The exploitation of the buffer overflow vulnerability allows an connected remote attacker to get privileges on the affected vulnerable system. Vulnerable Module(s): [+] Data Transfer from unavailable Stand-by mode Vulnerable OS: [+] Windows (x64) Affected Version(s): Windows v5.3.0.120 & older versions Picture(s): ../1.png ../2.png ../3.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by local & remote attackers with user inter -action. For demonstration or reproduce ... Technique(s): => Install => Login => Startup Data Transfer with user => Switch to Unavailable Mode => Stand-by Mode => Restart => BEX - Buffer Overflow Manually reproduce ... 1. Install Skype Software 2. Register an Account 3. Login to your Skype 4. Startup a transfer to your partner with any file 5. Switch to Unavailable Mode on Skype 6. Start your debugger on skype to catch the exception 7. Go to the Stand-by mode of windows 8. Restart from stand-by and login to your system 9. Multiple unhandled BEX (buffer overflow) & APPCrash exceptions got droped by skype & the software crashs 10. Check debugger & enjoy the bof ... --- Exception Logs --- Problemsignatur: Problemereignisname: BEX Anwendungsname: Skype.exe Anwendungsversion: 5.1.0.112 Anwendungszeitstempel:4d4037c2 Fehlermodulname: StackHash_e98d Fehlermodulversion: 0.0.0.0 Fehlermodulzeitstempel:00000000 Ausnahmeoffset: 00000000 Ausnahmecode: c0000005 Ausnahmedaten: 00000008 Betriebsystemversion: 6.1.7600.2.0.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: e98d Zusatzinformation 2: e98dfca8bcf81bc1740adb135579ad53 Zusatzinformation 3: 6eab Zusatzinformation 4: 6eabdd9e0dc94904be3b39a1c0583635 --- Report Logs --- Version=1 EventType=BEX EventTime=129435565109889129 ReportType=2 Consent=1 ReportIdentifier=2d471dfd-44e9-11e0-bd06-88112c285467 IntegratorReportIdentifier=2d471dfc-44e9-11e0-bd06-88112c285467 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Skype.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.1.0.112 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4d4037c2 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_e98d Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=00000000 Sig[6].Name=Ausnahmeoffset Sig[6].Value=00000000 Sig[7].Name=Ausnahmecode Sig[7].Value=c0000005 Sig[8].Name=Ausnahmedaten Sig[8].Value=00000008 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7600.2.0.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=e98d DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=e98dfca8bcf81bc1740adb135579ad53 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=6eab DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=6eabdd9e0dc94904be3b39a1c0583635 UI[2]=C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe UI[3]=Skype funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe LoadedModule[1]=C:\\Windows\\SysWOW64\\ntdll.dll ... ... ... ... LoadedModule[152]=C:\\Windows\\SysWOW64\\DCIMAN32.dll LoadedModule[153]=C:\\Windows\\SysWOW64\\Dxtmsft.dll LoadedModule[154]=C:\\Windows\\system32\\D3DIM700.DLL LoadedModule[155]=C:\\Windows\\system32\\RICHED20.DLL FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=BEX AppName=Skype AppPath=C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe Analyse(s): ../AppCrash_Skype.exe_4a492d693dcf1f3150dab2f35a8de59b6675a845_114a483f ../AppCrash_Skype.exe_627b3b712c7d99642dd448ada8f523c35904985_10327fba ../AppCrash_Skype.exe_b3bfe07146a37ad586c5d73ed28f6055d48e7d_14a9921f Security Risk: ============== The security risk of the remote buffer overflow vulnerability is estimated as high(-) because of the system specific art of exploitation. Credits & Authors: ================== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory