Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2005-3267 to a friend New vulnerability? New tool? Tell us	CVE-2005-3267 Skype Buffer Overflow     Credit: The information has been provided by EADS CCR DCR/STI/C. The vendor advisory can be found at: http://www.skype.net/security/skype-sb-2005-03.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2005-3267 Details Check for CVE-2005-3267 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Skype for Windows (including XP SP2 hosts) version 1.4.*.83 and prior  * Skype for Mac OS X version 1.3.*.16 and prior  * Skype for Linux version 1.2.*.17 and prior  * Skype for Pocket PC version 1.1.*.6 and prior Skype uses several data formats. Each format has its own specific parser. A specific encoding is used to store numbers, that will be referred as VLD (Variable Length Data). The data causing the overflow has the following format: ------------------------------------ | Object Counter* | M objects     | | M (VLD)             | (VLD)          | ------------------------------------ * The first number in the packet is the amount of forthcoming objects. The amount of memory allocated by the parser is prone to an integer wrap-around. The allocated size is 4*M. Thus, the overflow occurs when M is greater than 0x40000000: e. g. when M=0x40000010, HeapAlloc(0x40) is called, but up to 0x40000010 objects are effectively read in the packet and written into memory. Since the attacker controls both M and all other objects in the packet, he can overwrite an arbitrary amount of memory with chosen values, thus easily gaining control of the execution flow. The corresponding parsing code roughly translates in C as following: // read a VLD from input stream // return 0 on error int get_vld(unsigned int*);   unsigned int object_counter; unsigned int i; unsigned int * tab_objects;   // read object count (M) if (get_vld(&object_counter)==0)         fault();   // allocate memory to store sub-objects tab_objects = HeapAlloc( sizeof(unsigned int) * object_counter ); if (tab_objects ==NULL)         fault();   // read and store M sub-objects for (i=0;i<object_counter;i++) {         if (get_vld(&tab_objects[i])==0)                 fault(); }   return; Due to the favorable environmental conditions, this particular heap overflow is also exploitable on heap-protected systems such as Windows XP SP2 and some Linux distributions. This is possible because Skype stores function pointers in the heap, and those pointers can be overwritten by the overflow. CVE Information: CVE-2005-3267 Disclosure Timeline: Oct 17 2005: EADS CRC contacted Skype Security Team Oct 17 2005: Skype responded to EADS CRC Oct 25 2005: new patched version available  Comments on CVE-2005-3267:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®