[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Skype callto:// BoF technical details
From: "Berend-Jan Wever" <skylined () edup ! tudelft ! nl>
Date: 2004-11-16 15:01:19
Message-ID: 001c01c4cbed$254a23c0$0100a8c0 () grotedoos
[Download RAW message or body]
Skype reported they've found a remotely exploitable BoF in the callto:// URI handler. \
New version has been released. \
http://www.skype.com/products/skype/windows/changelog.html \
http://secunia.com/advisories/13191/
Technical details:
The bufferoverflow happens when a skype user clicks on a "callto://username" link \
with a username longer then 4096 characters that does not exist: An error message is \
created and put into a buffer without correct size checks. The errormessage and \
buffer are unicode but unicode characters are filtered out and replaced with '?'. \
Only printable ascii characters seem to get through. A return address can be \
overwritten as well as the SEH. Exploitation is complicated by the fact that return \
addresses have to be in range 0x00??00??.
Webbrowsers like MSIE do not support URI's long enough to trigger the BoF. To exploit \
it, one could send a skype user a callto:// link in a private message and trick \
him/her into clicking it.
If one would want to, one could write a skype worm with this. User interaction would \
be required: they'd have to click the link.
Cheers,
SkyLined
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic