Skype v5.6.59.x - Memory Corruption Vulnerability
2012-02-17
http://www.vulnerability-lab.com/get_content.php?id=315
315
Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
The Vulnerability-Lab Team discovered a remote memory corruption vulnerability on Skypes v5.6.59.x for x64 Windows7 Acer Aspire 5738.
2011-11-07: Vendor Notification
2011-11-09: Vendor Response/Feedback
2011--: Vendor Fix/Patch
2012-02-17: Public or Non-Public Disclosure
Published
Remote
High
A memory corruption vulnerability is detected on the windows client v5.6.59.10 (x64) of the skype software. The bug is located in
the software when processing special crafted transfers/communication processes from a linux v2.2.0.35(Beta) client to a
windows v5.6.59.10 client. The vulnerability allows the linux client user to crash the windows client on the remote way via freeze
when transfering. The execution of code is not possible via violation (read/write). The bug is only exploitable on Acer Aspire 5738
with Intel(R) Core(TM)2 Duo & windows 7 x64.
Vulnerable Module(s):
[+] File Transfer Linux v2.2.0.35(Beta) to Windows v5.6.59.10 Client
Verified on OS:
[+] Windows 7 - x64
Typus:
[+] Acer Aspire 5738
Processor:
[+] Intel(R) Core(TM)2 Duo - T6600 - 2x2.2 GHz
Affected OS version(s):
[+] Windows v5.6.59.10
Exploited via:
[+] Skype Linux v2.2.0.35(Beta)
Version=1
EventType=AppHangB1
EventTime=129654326637535437
ReportType=3
Consent=1
UploadTime=129654326746731683
ReportIdentifier=906ac8aa-0bdf-11e1-a657-b0833c3dd7a7
IntegratorReportIdentifier=906ac8ab-0bdf-11e1-a657-b0833c3dd7a7
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Absturzsignatur
Sig[3].Value=b5a1
Sig[4].Name=Absturztyp
Sig[4].Value=0
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzliche Absturzsignatur 1
DynamicSig[22].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[23].Name=Zusatzliche Absturzsignatur 2
DynamicSig[23].Value=7686
DynamicSig[24].Name=Zusatzliche Absturzsignatur 3
DynamicSig[24].Value=7686072c74c9a617ba4768ad2d5f43fa
DynamicSig[25].Name=Zusatzliche Absturzsignatur 4
DynamicSig[25].Value=b5a1
DynamicSig[26].Name=Zusatzliche Absturzsignatur 5
DynamicSig[26].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[27].Name=Zusatzliche Absturzsignatur 6
DynamicSig[27].Value=7686
DynamicSig[28].Name=Zusatzliche Absturzsignatur 7
DynamicSig[28].Value=7686072c74c9a617ba4768ad2d5f43fa
UI[3]=Skype reagiert nicht
UI[4]=Windows kann online nach einer Losung suchen. Wenn Sie das Programm schlie?en, gehen ggf. Informationen verloren.
UI[5]=Online nach einer Losung suchen und das Programm schlie?en
UI[6]=Online nach einer Losung suchen und das Programm schlie?en
UI[7]=Programm schlie?en
LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe
… … … …
LoadedModule[150]=C:\Windows\system32\midimap.dll
LoadedModule[151]=C:\Windows\system32\RICHED20.DLL
LoadedModule[152]=C:\Windows\system32\dbghelp.dll
FriendlyEventName=Beendet und geschlossen.
ConsentKey=AppHangXProcB1
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe
ReportDescription=Aufgrund eines Problems kann dieses Programm nicht mehr mit Windows kommunizieren.
Picture(s):
…/1.png
…/2.png
…/3.png
…/4.png
…/5.png
…/6.png
…/7.png
…/8.png
…/9.png
…/10.png
The vulnerability can be exploited by remote attackers with low required user inter action (accept).
Successful exploitation requires to accept a file transfer (user inter action) or receive messages & information.
For demonstration or reproduce …
Manually …
=> Install Skype Linux v2.2.0.35(Beta) Software
=> Login to Skype Linux v2.2.0.35(Beta)
=> Choose a userfrom your list with a Windows v5.6.59.10 x64 user client with a Acer Aspire 5738
=> Send the file or startup a text conversation to the skype v5.6.59.10 on a windows 7 x64 user client with a Acer Aspire 5738
=> Results in a stable memory corruption!
Note:
Successful exploitation results in a software and context freeze/crash + exception message violation read/write.
We reproduced the bug in 4 of 11 sendings. On 2 different windows 7 (x64) systems.
We tested the issue on 2 notebooks with the same typus - acer aspire 5738 - Intel(R) Core(TM)2 Duo (T6600 - 2x2.2 GHz) - x64 Windows 7.
Reference(s):
…/AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_2056ac14
…/AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_15c9ffad
…/AppHang_Skype.exe_875f53822d85cc7ef3b7ee45a91220cfa96f2093_158aef59
…/AppCrash_Skype.exe_aba333e0633c88bbbcd3934580eb7d3ddde7f5fb_0ba0367c
…/debug-20111026-2046.trace.txt
…/debug-20111102-1530.log
…/Skype.DMP
Attack Scheme(s):
…/skype(memory2).png
The security risk of the remote corruption vulnerability is estimated as high(-).
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) & Alexander Fuchs (f0x23)
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012|Vulnerability-Lab
–
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: [email protected] or [email protected]