SKYPE VOICE OVER IP - SOFTWARE VULNERABILITIES

SKYPE VOICE OVER IP - SOFTWARE VULNERABILITIES
TECHNIQUES & METHODS – ZERO DAY EXPLOITATION 2011
1. (Overview) Authors of the Skype Exploitation White-Paper
- 1.1 Pim J.F. Campers
- 1.2 Benjamin Kunz Mejri
2. (Preface) Information around the White-Paper & Skype
- 2.1 Infomercial
3. (Overview) Published Skype Vulnerabilities 2004-2010
- 3.1 URI Handler Skype Vulnerabilities
- 3.2 Denial of Service Skype Vulnerabilities
- 3.3 Creation & Deletion Skype Vulnerabilities
- 3.4 Buffer Overflow Skype Vulnerabilities
4. (How 2 Exploit & Detect?)
- 4.1 How to detect own Skype 0-day vulnerabilities?
- 4.2 How to exploit skype 0-day vulnerabilities out of the box?
- 4.2.1 Client Side Exploitation Map (Remote)
- 4.2.2 Server-Side 1 Exploitation Map (Remote & Local)
- 4.2.3 Server-Side 2 Exploitation Map (Remote & Local)
- 4.2.4 Pointer Exploitation Map (Local)
- 4.2.5 Exchange Buffer Overflow Map (Remote & Local)
- 4.2.7 Denial of Service Map (Local to Remote)
5.(Main Presentation) Presentation of own 0 day Skype Vulnerabilities
- 5.6 Skype v5.3.x v2.2.x v5.2.x – Denial of Service Vulnerability
- 5.2 Skype 5.3.x 2.2.x 5.2.x - Persistent Software Vulnerability
- 5.1 Skype 5.3.x 2.2.x 5.2.x - Persistent Profile XSS Vulnerability
- 5.5 Skype v5.2.x and v5.3.x – Memory Corruption Vulnerability
- 5.3 Skype v5.3.x - Transfer Standby Buffer Overflow Vulnerability
6. Skype Security & Time-Lines
- 6.1 Response, Fix/Patch > Time-Line
7. (Review) Security Session Videos
- 6.1 Skype (VoIP) - Denial of Service Vulnerability.wmv [HD]
- 6.2 Skype (VoIP) - Persistent Profile XSS Vulnerability [HD]
- 6.3 Skype (VoIP) - [Pointer Bug] Memory Corruption [HD]
8. Credits & Infomercial
- 8.1 Vulnerability Laboratory
1. AUTHORS OF THE SECURITY SKYPE WHITE-PAPER
1.1 Pim J. F. Campers (24) has worked around five years in the IT Security sector. It began as a
hobby, but after high school, he decided to expand his experience in the area of IT Security. His
specialties are security checks on web applications, server and client applications, underground
economy, bypass/crack filters or walls & risk/threat analysis. He currently works closely with
academia and high class software manufacturers and companies.
Pim has joined the "Global Evolution" Research Team 2007. From 2010 to 2011, Pim J.C. and
Benjamin M. (Research Team) identified over 300 zero day vulnerabilities in well known products
from companies such as DELL, Mozilla, Kaspersky, McAfee, Google, Cyberoam, Safari,
Bitdefender, Asterisk, Telecom, PBX & SonicWall. In 2010 he founded the company "Evolution
Security" with Benjamin K.M.. After the firm's establishment arose the european Vulnerability Lab
as the legal european initiative for vulnerability researchers, analysts, penetration testers, and
serious hacker groups. Pim is also the co-leader of the european Wargaming + Vulnerability-Lab
Research Team & have a lot of stable references by solved events or contests like ePost SecCup,
SCS2, EH2008, HAR2009, Da-op3n & exclusive zero-day exploitation sessions/releases.
1.2 Benjamin Kunz M.(28) is active as a penetration tester and security analyst for private and
public security firms, hosting entities, banks, isp(telecom) and ips. His specialties are security
checks(penetrationtests) on services, software, applications, malware analysis, underground
economy, military intelligence/cyberwar, reverse engineering, lectures and workshops about IT
Security. During his work as a penetration tester and vulnerability researcher, many open- or closed
source applications, software and services were formed more secure. In 1997, Benjamin K.M.
founded a non-commercial and independent security research group called, "Global Evolution -
Security Research Group" which is still active today. From 2010 to 2011, Benjamin M. and Pim C.
(Research Team) identified over 300 zero day vulnerabilities in well known products from
companies such as DELL, Barracuda, Mozilla, Kaspersky, McAfee, Google, Cyberoam, Safari,
Bitdefender, Asterisk, Telecom, PBX & SonicWall. In 2010 he founded the company "Evolution
Security". After the firm's establishment arose the Vulnerability Lab as the legal european initiative
for vulnerability researchers, analysts, penetration testers, and serious hacker groups. Ben is also the
leader of the Contest + Vulnerability-Lab Research Team. He have a lot of stable references by
solved events or contests like ePost SecCup, SCS2, EH2008, Har2009, Da-op3n & exclusive zeroday
exploitation sessions/releases.
2. INFOMERCIAL ON SKYPE
Skype is a software application that allows users to make voice and video calls and chats over the
Internet. Calls to other users within the Skype service are free, while calls to both traditional
landline telephones and mobile phones can be made for a fee using a debit-based user account
system. Skype has also become popular for its additional features which include instant messaging,
file transfer, and video conferencing. Skype has 663 million registered users as of 2010. The
network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the
development team and 44% of the overall employees of Skype are situated in the offices of Tallinn
and Tartu, Estonia. In April 2011 Microsoft bought the skype company. Skype is now a official
Microsoft Company.
The Skype Team provids an own security team for special software issues. "Vulnerability-lab.com
is in no way affiliated with Skype, does not work with Skype and cannot provide any conduit to
them. Any vulnerabilities to be reported to Skype should follow the process as detailed on their
website.
www.skype.com
3. OVERVIEW PUBLIC SKYPE VULNERABILITIES
Let’s have a look on the last Microsoft Skype software vulnerabilities. We split the categories into 4
classes: URI Handler Bugs, Creation + Deletion Misconfigurations, Denial of Service & Buffer
Overflows to give an overview of older bugs/vulnerabilities.
3.1 URI Handler Vulnerabilities on Skype
Skype URI Handler Input Validation Vulnerability - 2010
Skype File URI Security Bypass Code Execution Vulnerability - 2008
Skype skype4com URI Handler Remote Heap Corruption Vulnerability - 2007
Skype "callto:" URI Handler Buffer Overflow – 2004
Example:<a href=skype:A"0x01/secondary0x01/username:"test”0x01/password:”test>HACK</a>
Description: Allows an attacker to execute malicious content via skype message board on clicks.
Example: http:/www.example.com/?foo="><script>document.='http://11.133.0.7';</script>
Description: Client-Side XSS attack that allows an attacker to redirect a MacOS user via message board.
Bypass Example: %20%20%20%20%20%20%20?foo=%22%3E%22%3C%69%66%72%61%6D
%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62%2E
%63%6F%6D%3E
Description: Client-Side XSS attack that allows to bypass the older software filter with HEX URL Value.
Example: callto:"><script>document.='http://11.133.0.7';</script>
Description: Client-Side link spoofing attack allows to redirect victims, execute malware & script code
3.2 Denial of Service Vulnerabilities on Skype
Skype Client for Mac Chat Unicode Denial of Service Vulnerability 2010
Example: Mathematical Alphanumeric Symbols (1D400-1D7FF)
Description: After recieving a message the client freeze itself & the user in unable to get new messages.
3.3 Creation & Deletion Vulnerabilities on Skype
Skype URI Processing Arbitrary XML File Deletion Vulnerability – 2009
Skype Linux Insecure Temporary File Creation – 2005
Create Example:
strace -e trace=open skype
open("/home/vulnerability-lab/image.jpg", O_RDONLY|O_LARGEFILE) = 21 // Picture by User
open("/tmp/skype_profile.jpg", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 23 // Insecure
temporary file creation (it should use O_EXCL or O_NOFOLLOW flag)
Log: ln -s file_to_overwrite /tmp/skype_profile.jpg
Description: Bug located in multi-user environment because usually /tmp directory is "world-writable"
Delete Example:
Description: undocumented 'save_pxml' command that upon clicking will trigger the deletion of an arbitrary
attacker specified XML file. (Extras Plugin!)
3.4 Parse Buffer Overflow Vulnerabilities on Skype
Skype M/VLD Parse Integer Buffer Overflow Vulnerability - 2005
Example:
| Object Counter* | M objects
| M (VLD) | (VLD)
* The first number in the packet is the amount of forthcoming objects!
Description: The overflow occurs when M is greater than 0x40000000: e. g. when M=0x40000010,
HeapAlloc(0x40) is called, but up to 0x40000010 objects are effectively read in the packet and written into
memory.
4. HOW 2 EXPLOIT & Detect?
On this section of the white paper we will explain "how to find a way to exploit the software". Everybody
knows it's not that easy to declare vulnerabilitiess & bugs on the skype voip software ... or everybody keeps
his material private on his own. Like you can see on the securityfocus list there are not much or tricky
vulnerabilities listed ... http://www.securiteam.com/products/S/Skype.html
4.1 How to detect own Skype Vulnerabilities?
Skype is not easy to hack as the most people out there know. After our research tour through the Skype VOIP
software & modules our group discovered 6 new security vulnerabilities. The most detected bugs are on
software nodes like internal modules & overall levels/forms. To detect this type of vulnerabilities is not that
easy, the attacker mostly needs to find a specific node on the software were script-code or commands are
executed. After detection of such a vulnerability the attacker also needs to verify that the bug is remotely
exploitable because a lot of them just locally exploitable.
1. Find/Detect/Identify Bug/Vulnerability
2. Analyse Bug/Vulnerability
3. Verify Vulnerability (Remote/Local)
4. Exploitation (PoC)
From the search, find/detect & verify to the ending exploitation is a long way. In the next section we will
show the attack models & how the exploitation out of the box works. Attackers have to think innovatively &
creatively on the identification process. Very often the bugs are located on in a specific module but just get
displayed in a third, to trigger/exploit this kind of bugs is very hard.
4.2 How to exploit own Skype Vulnerabilities (Out of the Box!)?
The following attack model describes the client site attacks on the famous Skype software.
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.7
5. Presentation of own detected 0 day Skype vulnerabilities
Now I will even explain how to exploit Skype and show everything that i found testing this software product.
In total 5 vulnerabilities were found:
- 5.6 Skype v5.3.x v2.2.x v5.2.x – Denial of Service Vulnerability (Local to Remote)(+Video)(Linux,Windows & Mac) [Medium[-]
- 5.2 Skype 5.3.x 2.2.x 5.2.x - Persistent Software Vulnerability (Local & Remote)(Linux,Windows & Mac) [High[-]
- 5.5 Skype v5.2.x and v5.3.x – Memory Corruption Vulnerability (Local) (+Video)(Linux,Windows & Mac) [Medium]
- 5.3 Skype v5.3.x - Transfer Standby Buffer Overflow Vulnerability (Remote) (Windows) [High]
- 5.1 Skype 5.3.x 2.2.x 5.2.x - Persistent Profile XSS Vulnerability (Local & Remote)(Linux,Windows & Mac) (+Video) [High]
OS Independent: 4 Vulnerabilities
I will explain the weaknesses individually and what impact they might have on the user. All my tests were
recorded in a video session which is currently being processed for release.
Skype v5.3.x v2.2.x v5.2.x - Local Denial of Service Vulnerability (Map: 4.2.7)
First, the stable local & remote denial of service attack in Skype. As with other messengers, it is possible to
allow for specific words Notify. Something called Highlight text in irc. For example if a notify on the word
"Benjamin" is made, everytime this word is now used in a conversation the user gets notified. The function
looks like this ...
The steps to do so are the following ...
Notificationsettings => Input Field(Checkbox 3) => Input string => Save the words/strings => Check when a
return or a receive is made on the stored words/strings => User Notification if word/string is found in the
words/strings stored in the notification list
The stable denial of service vulnerability is detected on the windows & Mac OS version of Skype. The Bug
is located in the notification module of the Skype client. The vulnerability allows an local attacker to crash
the complete skype process via APPHang(application-hang) & APPCrash. The bug allows an local attacker
to block the users message board by including on the savebox ...
%long<string>+[Space]+%long<string>
message. The input field of the notifification-option has no size restriction as maximum. After including the
string into the application, it will never verify what is inside the notification option.
The result is in a stable denial of service: apphang & appcrash ... also after a restart because its saved with
the account. The bug has a persistent weakness when including on a specific user profile. This can result in a
stable denial of service vulnerability after the exchange of v-cards. When the user with the manipulated
profile sends a message to me(receiver) the vulnerability crashes the client after receiving 1 character of text.
Abbildung 1: Benachrichtigungskonfiguration or Notificationsettings
Abbildung 3: MacOS - Denial of Service Session (Error Report #1)
Abbildung 2: MacOS - Denial of Service Session (Software Crash Receiver)
Abbildung 4: Windows 7 - Denial of Service Session (Debugger - Unhandled Exceptions)
When you try to delete the string out of the "Notification Settings" the software also tries to check the input
and crashes after execution of the module. The attack model is triggered by the following steps:
Schema: Notificationsettings => Input Field(Checkbox 3) => Input(unrestricted) => %long<string>+[Space]
+%long<string> => Save the words/strings => Check when a return or a receive is made on the stored
words/strings => Crash on every remote & local message on the profile (Exploitation)
The denial of service bug is vulnerable to Mac OS, Windows & the Linux version (+mobile) of Skype.
Skype 2.8.x, 5.3.x & 2.2.x – Persistent Software Vulnerability (Map: 4.2.3)
Now we have gotten a really nice bug that allows persistent remote script code inclusion directly into the
Skype software. Months ago I started looking at the status messages and bars from Skype.
In my tests, I was looking for specific points in the software such as transmitted messages from embedded
(inbound) services. When I got notified a few weeks ago about the new service manager for Skype,
I've been looking at this and made small function test. “So far so good I thought, nice piece of software.” But
when I logged off my account the status message changed to "The administrator has removed you from
Skype Manager called "USER NAME "(HD output).
I had finally found what I'd been looking for. Then I naturally logged back onto Skype Service Manager.
This time I tried to log on with different tags as my Skype user name, but that unfortunately didn't work
because of security restrictions. “Okay.” I thought to myself. “I can't do that yet.” I logged into Skype
Manager with a normal name and went to the profile names. There, I didn't try to log in with the user name
again, but rather just tried to run an update. How perfectly it worked. The registration didn't work given that
it had already been validated, but the update ran problemfree.
Unfortunately, you couldn't insert more than fifty characters due to the restriction from the update. Then, I
began to try to inject different little scripts for tags and afterward just signed out of Skype Service Manager.
At the login for the user name, I was left with filtered output.
Status Message: The Administrator has removed you from Skype Manager called ">"(DB Username output)
Okay, I had come as far as finding a form in Skype's software that allowed you to send a direct status update.
The problem was that the software would filter a normal tag like, '>"<iframe src=http://www.vulnerabilitylab.com>'
itself. I then began to throw the scripts through different character encoding calculator applications
(HTML, hex-url, base-64). When I was done, I tried all of the different encodings in the user name section.
After a quick update, I logged out to see whether it worked, and saw this:
Okay, I had come as far as finding a form in Skype's software that allowed you to send a direct status update.
The problem was that the software would filter a normal tag like, '>"<iframe src=http://www.vulnerabilitylab.com>'
itself. I then began to throw the scripts through different character encoding calculator applications
(HTML, hex-url, base-64). When I was done, I tried all of the different encodings in the user name section.
After a quick update, I logged out to see whether it worked, and saw this:
Now it was possible to run scripts through updating the status in Skype with those underlying vulnerabilities.
You simply cannot just ignore the status as it is permanently set in the menu. The security hole is also not
just hinged upon something within the operating system. The weakness lies in the validation of the output of
the status change, but also in the user name validation of the Skype Manager service. At the end of my tests it
was clear, it didn't matter which service you let update your status with, you just had to find some type of
correlating inbound service (usern- output) and you can run your favorite executables in the software.
Schema: Install => register => Login1 => register 2 => Check1 => Login2 => Change username input to
Tag (Script Code HTML/JS) => Cancel Service => Redisplay in status message bar index (Exploitation)
PoC:
%3E%22%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F
%76%75%6C%6E%2D%64%62%2E%63%6F%6D%3E
Skype 2.8.x & 5.3.x - Persistent Profile XSS Vulnerability (Map: 4.2.2)
At least a second input validation vulnerability has been identified on the profile input/output of the Skype
client software. The bug is located on the "myphone" profile input fields. The affected vulnerable output area
is the active user preview were the script code get executed. The lab researcher Levent Kayan (noptrix) has
discovered the vulnerability 2011-07-15 on vulnerability-lab.com. The security risk of the vulnerability is
estimated as high(-) because exploitation requires to be listed on the active users preview section of the
software.
Abbildung 5: Execution of persistent script code on skypes statusbar message main module
The vulnerability allows an remote attacker to implement malicious persistent script code over an input field
(myphone) on the user profile settings. The successfully exploitation of the vulnerability allows an attacker
to hijack customer sessions or can lead to malicious persistent script code execution over the review display
listing of active users.
Abbildung 6: Vulnerable Input Field of the Skype Profile Section
Abbildung 7: Hijack Skype Session Information via Persistent XSS
Schema: Install => Login => Change profile my-phone input (Script Code HTML/JS) => Save Input =>
Redisplay in active user preview (Exploitation)
PoC: "><iframe src='' onload=alert('mphone')>
Skype 5.2.x & 5.3.x – Pointer Vulnerability (Memory Corruption) (Map: 4.2.4)
After we found a non restricted input field on the directory request we have done some input tests. Benjamin
K.M. Detected critical pointer vulnerability which is vulnerable to the Mac OSx & Windows version of
Skype. The bug/vulnerability is located in 2 input forms of a unicode http search request to the Skype search
directory server. The vulnerability allows an local attacker to crash the complete Skype process via an
unknown unhandled software exception(memory-corruption).
After this unknown unhandled exception we tried to include different large inputs with chars like %, 0, A+
A short while later we got the following results on Mac OS version of the Skype client ...
After a short look at the debugger we saw that the software was requesting the search directory with our
large string inside. The content was too big to process & the client crashes after the input of the large unicode
search string. When the user tries to dump the process the growing memory on the process freeze.
Schema: Install => Login => Open "Geschäftsempfehlungen" => Insert large uni-code string => Requesting
Find Directory Server => AppCrash (Memory Corruption)
Skype 5.3.x – Transfer Buffer Overflow Vulnerability (Map:4.2.5)
Next, I got busy testing transfers of data in different system modes. This means, for instance, someone
sending a file to someone else while your status is set to Away. Then the files can't be sent or received, and
are stuck in the query. Then the other user sets their status to Away. The data query is stopped between the
messengers. When the user has sent a file and it goes into stand-by, upon awakening, the result is a remote
buffer overflow on 32 and 64 bit versions of Windows 7.
We also recorded some pictures of the access violations around the local buffer overflow & BEX exceptions.
Schema: Install => Login => Startup Data Transfer => Unavailable Mode => Stand-by Mode => Re-activate =>
Buffer Overflow (BEX)
Skype does not allow to send transfer of files when the status is unavailable or busy. When the conversation
is started & a user transfers a file & the receiver acknowledges the process ... He can switch when processing
in another mode. By switching to the stand-by mode with your box the running transfer got held on the query
with no reaction. The successful exploitation may result in a remote buffer overflow on both client sides.
6. Skype Security, Repsonse/Patch & Cooperation
First we want to talk about the respone/patch time-line and feedback that we got from the Skype security
team. After our third submission we got forwarded to a security developer of the Skype. He was responsible
for testing and verifying the bugs that we found. The process is described below to get a general idea of how
things went.
Information Disclosure > Feedback/Response > Verification > Reproduce > Fix/Patch
To get an idea on how fast the whole proces was the general time line of the persistant software bug
with a rating of high is shown below.
2011-07-10: Vendor Notification
2011-07-11: Vendor Response/Feedback
2011-07-12: Vendor Fix/Patch
2011-07-15: Public or Non-Public Disclosure
This secon time-line shows the time-frame in which the persistent software vulnerability (OS
idependent) with a rating of high was fixed.
2011-07-22: Vendor Notification
2011-07-23: Vendor Response/Feedback
2011-08-01: Vendor Fix/Patch
2011-09-06: Public or Non-Public Disclosure
As you can see from the time-lines Skype has a very dedicated and fast working security team.
They are most of the time able to reproduce bugs in a short timespan and often they can confirm the
security issues within hours. When we submitted the first bug we got a fast response by the security
team which had been able to recreate the bug within minutes. As pointed out earlier after third bug
submission we got some help by a security developer of the skype team. He helped us on
verification & confirmed 4 of our found (6) (detected) vulnerabilities with a short time-span.
After our submissions arrived skype security responded:
Skype v5.3.x v2.2.x v5.2.x – Local 2 Remote Denial of Service Vulnerability
This will be fixed in future releases.
Skype 2.8.x, 5.3.x & 2.2.x – Persistent Software Vulnerability
We will ensure the trusted admin attack vector is fixed.
Skype 2.8.x & 5.3.x - Persistent Profile XSS Vulnerability
Reported and fixed.
Skype 5.2.x & 5.3.x – Pointer Vulnerability (Memory Corruption)
This will also be fixed in a future version.
Skype 5.3.x – Transfer Buffer Overflow Vulnerability
Skype has repeatedly failed to reproduce this issue based on the steps provided.
7. (Review) Security Session Videos
• 7.1 Skype (VoIP) - Denial of Service Vulnerability.wmv [HD]
• 7.2 Skype (VoIP) - Persistent Cross Site Scripting Vulnerability.wmv [HD]
• 7.3 Skype (VoIP) - [Pointer Bug] Memory Corruption.wmv [HD]

my skype : yamod.gas
contact me for more/help :)