[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Skype callto:// BoF technical details
From:       "Berend-Jan Wever" <skylined () edup ! tudelft ! nl>
Date:       2004-11-16 15:01:19
Message-ID: 001c01c4cbed$254a23c0$0100a8c0 () grotedoos
[Download RAW message or body]

Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. \
New version has been released. \
http://www.skype.com/products/skype/windows/changelog.html \
http://secunia.com/advisories/13191/

Technical details:

The bufferoverflow happens when a skype user clicks on a "callto://username" link \
with a username longer then 4096 characters that does not exist: An error message is \
created and put into a buffer without correct size checks. The errormessage and \
buffer are unicode but unicode characters are filtered out and replaced with '?'. \
Only printable ascii characters seem to get through. A return address can be \
overwritten as well as the SEH. Exploitation is complicated by the fact that return \
addresses have to be in range 0x00??00??.

Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit \
it, one could send a skype user a callto:// link in a private message and trick \
him/her into clicking it.

If one would want to, one could write a skype worm with this. User interaction would \
be required: they'd have to click the link.

Cheers,
SkyLined


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic