Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27700
HistoryFeb 22, 2012 - 12:00 a.m.

Skype v5.6.59.x - Memory Corruption Vulnerability

2012-02-2200:00:00
vulners.com
12
JSON

Title:

Skype v5.6.59.x - Memory Corruption Vulnerability

Date:

2012-02-17

References:

http://www.vulnerability-lab.com/get_content.php?id=315

VL-ID:

315

Introduction:

Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)

Abstract:

The Vulnerability-Lab Team discovered a remote memory corruption vulnerability on Skypes v5.6.59.x for x64 Windows7 Acer Aspire 5738.

Report-Timeline:

2011-11-07: Vendor Notification
2011-11-09: Vendor Response/Feedback
2011--: Vendor Fix/Patch
2012-02-17: Public or Non-Public Disclosure

Status:

Published

Exploitation-Technique:

Remote

Severity:

High

Details:

A memory corruption vulnerability is detected on the windows client v5.6.59.10 (x64) of the skype software. The bug is located in
the software when processing special crafted transfers/communication processes from a linux v2.2.0.35(Beta) client to a
windows v5.6.59.10 client. The vulnerability allows the linux client user to crash the windows client on the remote way via freeze
when transfering. The execution of code is not possible via violation (read/write). The bug is only exploitable on Acer Aspire 5738
with Intel(R) Core(TM)2 Duo & windows 7 x64.

Vulnerable Module(s):
[+] File Transfer Linux v2.2.0.35(Beta) to Windows v5.6.59.10 Client

Verified on OS:
[+] Windows 7 - x64

Typus:
[+] Acer Aspire 5738

Processor:
[+] Intel(R) Core(TM)2 Duo - T6600 - 2x2.2 GHz

Affected OS version(s):
[+] Windows v5.6.59.10

Exploited via:
[+] Skype Linux v2.2.0.35(Beta)

— Error Logs —
Version=1
EventType=APPCRASH
EventTime=129649895429022825
ReportType=2
Consent=1
ReportIdentifier=d7d69494-07d7-11e1-be65-d0195a352fda
IntegratorReportIdentifier=d7d69493-07d7-11e1-be65-d0195a352fda
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Fehlermodulname
Sig[3].Value=Skype.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=5.6.59.110
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4e96c2e0
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00006042
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=aaf0
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=aaf0453a0e76af1ce0b9b95636592246
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=efcb
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=efcb736472e70e914b41ac4f1d53e9e7
UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe
UI[3]=Skype funktioniert nicht mehr
UI[4]=Windows kann online nach einer Losung fur das Problem suchen.
UI[5]=Online nach einer Losung suchen und das Programm schlie?en
UI[6]=Spater online nach einer Losung suchen und das Programm schlie?en
UI[7]=Programm schlie?en
LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe
LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
LoadedModule[4]=C:\Windows\syswow64\oleaut32.dll
… … … …
LoadedModule[180]=C:\Windows\system32\wpdshext.dll
LoadedModule[181]=C:\Windows\system32\IconCodecService.dll
LoadedModule[182]=C:\Windows\SysWOW64\PhotoMetadataHandler.dll
LoadedModule[183]=C:\Windows\system32\dbghelp.dll
FriendlyEventName=Nicht mehr funktionsfahig
ConsentKey=APPCRASH
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe

Version=1
EventType=APPCRASH
EventTime=129685086822704807
ReportType=2
Consent=1
ReportIdentifier=7a5bbde2-27d9-11e1-9554-bcffd2dbaec5
IntegratorReportIdentifier=7a5bbde1-27d9-11e1-9554-bcffd2dbaec5
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Fehlermodulname
Sig[3].Value=KERNELBASE.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=6.1.7601.17651
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4e211319
Sig[6].Name=Ausnahmecode
Sig[6].Value=0eedfade
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=0000b9bc
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=9c3f
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=9c3f13414b612a2f01f04d72e638661d
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=9593
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=9593e76fac7cc42272b758abf7e20813
UI[2]=C:\Program Files (x86)\Skype\Phone\Skype.exe
UI[3]=Skype funktioniert nicht mehr
UI[4]=Windows kann online nach einer Losung fur das Problem suchen.
UI[5]=Online nach einer Losung suchen und das Programm schlie?en
UI[6]=Spater online nach einer Losung suchen und das Programm schlie?en
UI[7]=Programm schlie?en
… … … …
LoadedModule[151]=C:\Windows\system32\midimap.dll
LoadedModule[152]=C:\Windows\system32\windowscodecsext.dll
LoadedModule[153]=C:\Windows\System32\msxml6.dll
LoadedModule[154]=C:\Windows\system32\RICHED20.DLL
FriendlyEventName=Nicht mehr funktionsfahig
ConsentKey=APPCRASH
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe

Version=1
EventType=AppHangB1
EventTime=129654326637535437
ReportType=3
Consent=1
UploadTime=129654326746731683
ReportIdentifier=906ac8aa-0bdf-11e1-a657-b0833c3dd7a7
IntegratorReportIdentifier=906ac8ab-0bdf-11e1-a657-b0833c3dd7a7
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Skype.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.6.59.110
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4e96c2e0
Sig[3].Name=Absturzsignatur
Sig[3].Value=b5a1
Sig[4].Name=Absturztyp
Sig[4].Value=0
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzliche Absturzsignatur 1
DynamicSig[22].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[23].Name=Zusatzliche Absturzsignatur 2
DynamicSig[23].Value=7686
DynamicSig[24].Name=Zusatzliche Absturzsignatur 3
DynamicSig[24].Value=7686072c74c9a617ba4768ad2d5f43fa
DynamicSig[25].Name=Zusatzliche Absturzsignatur 4
DynamicSig[25].Value=b5a1
DynamicSig[26].Name=Zusatzliche Absturzsignatur 5
DynamicSig[26].Value=b5a13949296de5a80b34b6b3ed655f0d
DynamicSig[27].Name=Zusatzliche Absturzsignatur 6
DynamicSig[27].Value=7686
DynamicSig[28].Name=Zusatzliche Absturzsignatur 7
DynamicSig[28].Value=7686072c74c9a617ba4768ad2d5f43fa
UI[3]=Skype reagiert nicht
UI[4]=Windows kann online nach einer Losung suchen. Wenn Sie das Programm schlie?en, gehen ggf. Informationen verloren.
UI[5]=Online nach einer Losung suchen und das Programm schlie?en
UI[6]=Online nach einer Losung suchen und das Programm schlie?en
UI[7]=Programm schlie?en
LoadedModule[0]=C:\Program Files (x86)\Skype\Phone\Skype.exe
… … … …
LoadedModule[150]=C:\Windows\system32\midimap.dll
LoadedModule[151]=C:\Windows\system32\RICHED20.DLL
LoadedModule[152]=C:\Windows\system32\dbghelp.dll
FriendlyEventName=Beendet und geschlossen.
ConsentKey=AppHangXProcB1
AppName=Skype
AppPath=C:\Program Files (x86)\Skype\Phone\Skype.exe
ReportDescription=Aufgrund eines Problems kann dieses Programm nicht mehr mit Windows kommunizieren.

Picture(s):
…/1.png
…/2.png
…/3.png
…/4.png
…/5.png
…/6.png
…/7.png
…/8.png
…/9.png
…/10.png

Proof of Concept:

The vulnerability can be exploited by remote attackers with low required user inter action (accept).
Successful exploitation requires to accept a file transfer (user inter action) or receive messages & information.
For demonstration or reproduce …

Manually …
=> Install Skype Linux v2.2.0.35(Beta) Software
=> Login to Skype Linux v2.2.0.35(Beta)
=> Choose a userfrom your list with a Windows v5.6.59.10 x64 user client with a Acer Aspire 5738
=> Send the file or startup a text conversation to the skype v5.6.59.10 on a windows 7 x64 user client with a Acer Aspire 5738
=> Results in a stable memory corruption!

Note:
Successful exploitation results in a software and context freeze/crash + exception message violation read/write.
We reproduced the bug in 4 of 11 sendings. On 2 different windows 7 (x64) systems.
We tested the issue on 2 notebooks with the same typus - acer aspire 5738 - Intel(R) Core(TM)2 Duo (T6600 - 2x2.2 GHz) - x64 Windows 7.

Reference(s):
…/AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_2056ac14
…/AppCrash_Skype.exe_d5e2d03b37d849b583abbbf2629dce65e18f70_15c9ffad
…/AppHang_Skype.exe_875f53822d85cc7ef3b7ee45a91220cfa96f2093_158aef59
…/AppCrash_Skype.exe_aba333e0633c88bbbcd3934580eb7d3ddde7f5fb_0ba0367c
…/debug-20111026-2046.trace.txt
…/debug-20111102-1530.log
…/Skype.DMP

Attack Scheme(s):
…/skype(memory2).png

Risk:

The security risk of the remote corruption vulnerability is estimated as high(-).

Credits:

Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) & Alexander Fuchs (f0x23)

Disclaimer:

The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

                                            Copyright © 2012|Vulnerability-Lab


Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: [email protected] or [email protected]

JSON