Flag: Tornado!
Hurricane!
|
|
Topic created on: November 10, 2005 09:04 CST by dendler  .
A brief binary analysis of Skype:
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf
Has anyone else taken any time to look in into Skype?
I've recently been looking into the vCard and the related callto:// vulnerabilities reported alongside the EADS-CCR's good work.
http://www.skype.com/security/skype-sb-2005-02.html
Filemon shows the only relevant files created by Skype are the C:\Program Files\Skype\Phone\Skype.exe.
Because of details in the updated credits section of that vulnerability, I think the two 'limbs' of that flaw are pretty closely related.
"This bug was referred to SKY-CERT by an external referrer, Mark Litchfield of Next Generation Security Software (NGSS), who did the research concerning VCARD importation. Based on this, Mark Rowe of Pentest Limited identified the same bug as it related to long URL handling."
Now that led me to think of what user supplied data is entered by both a vCard and the callto:// links. In addition, the advisory also referrs to the earlier callto:// vulnerability that was caused by a long string of letters.
However, they state:
"(formerly numbered as SSA-2004-01), but was not
caused by a reintroduction of the previously fixed source code."
Now that led me to believe that it could very well lie in the introduction of SkypeOut, fully qualified national numbers (ie normal phone numbers). Skype has introduced the ability to use callto://+619999999 since the last vulnerability in something similar to callto://aaaa..../.
I've already manually fuzzed portions of the vCard format (ie TEL;HOME; TEL;MOBILE: etc and a few of the introduced X-SKYPE-USERNAME, URL, X-SKYPE-BUDDYSTATUS ) with no success. I might try a process_stalker run on the two patched and unpatched Skype binaries I have, but It could be harder than the walkthrough, as we can't use Ethereal.
I also tried using the old Firefox malformed vCard and Outlook vCard exploits, but it's not the same bug, nor imported code that is affecting Skype.
I've got some further paths I'm looking into, but they are pretty haphazard just now, and I haven't pulled out a succint summary. Is there anyone else working on these bugs?
Some useful resources:
Oreilly Skype Hacks
Skype Security Evaluation
Skype vCard Summary
|
A comparison of the pre-patch and post-batch files gives some indication of added error handling functions.
One such section is:
Target=00D8CBD0 00000141
==============================
00D8CBD0 A000 5400 6800 6500 2000 6600 6900 6C00 ..T.h.e. .f.i.l.
00D8CBE0 6500 2000 6200 6500 6900 6E00 6700 2000 e. .b.e.i.n.g. .
00D8CBF0 7200 6500 6100 6400 6500 6400 2000 6900 r.e.a.d.e.d. .i.
00D8CC00 7300 2000 6E00 6F00 7400 2000 6100 2000 s. .n.o.t. .a. .
00D8CC10 7600 6100 6C00 6900 6400 2000 2200 5000 v.a.l.i.d. .".P.
00D8CC20 6F00 7200 7400 6100 6200 6C00 6500 2000 o.r.t.a.b.l.e. .
00D8CC30 4E00 6500 7400 7700 6F00 7200 6B00 2000 N.e.t.w.o.r.k. .
00D8CC40 4700 7200 6100 7000 6800 6900 6300 7300 G.r.a.p.h.i.c.s.
00D8CC50 2200 2000 6900 6D00 6100 6700 6500 2000 ". .i.m.a.g.e. .
00D8CC60 6200 6500 6300 6100 7500 7300 6500 2000 b.e.c.a.u.s.e. .
00D8CC70 6900 7400 2000 6300 6F00 6E00 7400 6100 i.t. .c.o.n.t.a.
00D8CC80 6900 6E00 7300 2000 6100 6E00 2000 6900 i.n.s. .a.n. .i.
00D8CC90 6E00 7600 6100 6C00 6900 6400 2000 6800 n.v.a.l.i.d. .h.
00D8CCA0 6500 6100 6400 6500 7200 2E00 2000 5400 e.a.d.e.r... .T.
00D8CCB0 6800 6900 7300 2000 6600 6900 6C00 6500 h.i.s. .f.i.l.e.
00D8CCC0 2000 6D00 6100 7900 2000 6200 6500 2000 .m.a.y. .b.e. .
00D8CCD0 6300 6F00 7200 7200 7500 7000 6500 6400 c.o.r.r.u.p.e.d.
00D8CCE0 2C00 2000 7400 7200 7900 2000 6F00 6200 ,. .t.r.y. .o.b.
00D8CCF0 7400 6100 6900 6E00 6900 6E00 6700 2000 t.a.i.n.i.n.g. .
00D8CD00 6900 7400 2000 6100 6700 6100 6900 6E00 i.t. .a.g.a.i.n.
00D8CD10 2E .
===============================
Target=00D8D97A 0000003A (around PNG error code)
===============================
00D8D97A 1C00 4900 6E00 7600 6100 6C00 6900 6400 ..I.n.v.a.l.i.d.
00D8D98A 2000 4600 6F00 7200 6D00 6100 7400 2000 .F.o.r.m.a.t. .
00D8D99A 5300 7000 6500 6300 6900 6600 6900 6500 S.p.e.c.i.f.i.e.
00D8D9AA 7200 3A00 2000 2500 7300 r.:. .%.s.
===============================
There is also a similarily added section in the patch that provides extra code between callto:// and \Shell\Open\Command. I'd be willing to share this portion of IDA code with others if they contact me off list.
Binary dump below:
Target=002DE654 00000478 Shell Open
============================
002DE654 0100 0000 2C00 0000 FFFF FFFF 0C00 0000 ....,...........
002DE664 5C44 6566 6175 6C74 4963 6F6E 0000 0000 \DefaultIcon....
002DE674 FFFF FFFF 0B00 0000 5C53 6865 6C6C 5C4F ........\Shell\O
002DE684 7065 6E00 0A00 0000 2600 4F00 7000 6500 pen.....&.O.p.e.
002DE694 6E00 0000 FFFF FFFF 0100 0000 2200 0000 n..........."...
002DE6A4 FFFF FFFF 0200 0000 2220 0000 FFFF FFFF ........" ......
002DE6B4 1300 0000 5C53 6865 6C6C 5C4F 7065 6E5C ....\Shell\Open\
002DE6C4 436F 6D6D 616E 6400 558B EC83 C4F4 894D Command.U......M
002DE6D4 F489 55F8 8945 FC8B 45FC E879 62D2 FF8B ..U..E..E..yb...
002DE6E4 45F8 E871 62D2 FF8B 45F4 E869 62D2 FF8B E..qb...E..ib...
002DE6F4 450C E861 62D2 FF33 C055 6868 F36D 0064 E..ab..3.Uhh.m.d
002DE704 FF30 6489 2055 8B45 F450 8B45 0C50 8B45 .0d. U.E.P.E.P.E
002DE714 0850 8B4D F88B 55FC B802 0000 80E8 72FC .P.M..U.......r.
002DE724 FFFF 5955 8B45 F450 8B45 0C50 8B45 0850 ..YU.E.P.E.P.E.P
002DE734 8B4D F88B 55FC B801 0000 80E8 54FC FFFF .M..U.......T...
002DE744 5933 C05A 5959 6489 1068 6FF3 6D00 8D45 Y3.ZYYd..ho.m..E
|
For those who weren't at BH Europe, or haven't seen yet:
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
I'd treat it as an update to the original EADS-CCR article that began this thread. Included in the latest goodies are:
- Low-level details on how to be bilingual and learn how to speak "skype"
- How to let Skype do portscanning for you
- Theoretical means of starting a a "dark" Skype network with it's own supernodes etc to do MitM attacks.
- Info on what I believe is the "heap overflow in networking routines" from last year, caused by specific UDP packet.
EADS make no mention of an eventual public release of skypy, their patch to [url=www.secdev.org/projects/scapy/]Scapy[/url] http://www.skype.com/security/skype-sb-2005-03.html
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}