CVE Discovered in SKYPE VoiP SoftPhone
SKYPE-SB/2005-002: Buffer overflow in Skype-specific URI and VCARD import handling
Bulletin title: Buffer overflow in Skype-specific URI andVCARD import handling
Bulletin ID: SKYPE-SB/2005-002
Bulletin status: FINAL
Date of announcement: 2005-10-25 13:00:00 +0000
Date of last revision: 2005-10-27 15:05:15 +0000
Products affected: Skype for Windows
Vulnerability type: Buffer overflow
CVE references: CVE-2005-3265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-3265
Risk assessment: HIGH
CVSS base score: 10.0 (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)
Cross-references: http://qc.borland.com/wc/qcmain.aspx?d=4744SKYPE-SB/2004-001 (formerly SSA-2004-01)
Table of contents:
Problem description and brief discussion
Impact and affected software
Solution or work-around
Special instructions and notes
Software download location
Authenticity verification
Common Vulnerability Scoring System (CVSS) assessment
Credits and additional information
Bulletin release history
Notices
1. Problem description and brief discussion
Description
A security bug in the Skype for Windows user client has beenidentified and fixed.
Skype can be made to execute arbitrary code through a bufferoverflow when Skype is called upon to handle malformed URLs thatare in Skype-specific URI types callto:// and skype://.
In addition, Skype can be made to execute arbitrary code duringimportation of a VCARD that is in a specific non-standard format.
Discussion
This bug is a subsidiary effect of documented Borland Delphibug 4744 (http://qc.borland.com/wc/qcmain.aspx?d=4744).
Skype has replaced instances of the offending routine with onethat performs proper bounds-checking.
Note that this bug is similar to the issue previously reported inSKYPE-SB/2004-001 (formerly numbered as SSA-2004-01), but was notcaused by a reintroduction of the previously fixed source code.
This is tracked by Mitre CVE ID CVE-2005-3265.
2. Impact and affected software
Impact
A user could cause arbitrary code to be executed if a specially-crafted Skype-specific URL is clicked or if a specially-craftedVCARD is imported.
Affected software
The following Skype clients are vulnerable to this attack:
Skype for Windows:Releases 1.1.*.0 through 1.4.*.83
3. Solution or work-around
An official fix to the issue covered by this Security Bulletin hasbeen released. To implement this fix, update to one of thefollowing releases of Skype. (Downloading instructions are shownin Section 4 of this Bulletin.)
Skype for Windows:Release 1.4.*.84 or later
As a work-around prior to updating the Skype software, this bug maybe avoided by not selecting Skype-specific URIs and not importingVCARD records.
4. Special instructions and notes
None.
5. Software download location
The preferred method for installing security updates is to downloadthe software directly from Skype's website, from the website ofSkype's authorized partners, or from a reliable mirror site. Skypemay also be safely downloaded from other locations, but in thiscase it is particularly important that you verify the authenticityof the download.
We recommend that once you download any Skype software that youverify its integrity by the methods listed in Section 6 of thisBulletin.
You may install Skype by running the Skype installer using theinstallation commands displayed under the appropriate operatingsystem listed at http://www.skype.com/download/.
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:http://www.skype.com/products/skype/windows/
x86 platform, Linux:http://www.skype.com/products/skype/linux/
PPC platform, Mac OS X v10.3 (Panther) or later:http://www.skype.com/products/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003:http://www.skype.com/products/skype/pocketpc/
6. Authenticity verification
- Bulletin authenticity verification:
Skype security bulletins are published on Skype's web site andvia mailing lists. The authenticity and integrity of a Skypesecurity bulletins may be determined by inspecting the crypto-graphic signature that is attached to each bulletin. All Skypesecurity bulletins are published with a valid digital signatureproduced by PGP.
- Software authenticity verification:
Both the Skype installer program and the Skype program that isinstalled by the installer are digitally signed.
For Skype software built for Microsoft Windows operatingenvironments, the digital certificate used by Skype to signsoftware packages is signed by "VeriSign Class 3 Code Signing 2004CA".
For Skype software built for Linux platforms, all packages aresigned by PGP key ID 0xD66B746E, the public component of which maybe downloaded from http://www.skype.com/products/skype/linux/.
- For general information about Skype security, please visit theSkype Security Resource Center at http://www.skype.com/security/.
7. Common Vulnerability Assessment System (CVSS) assessment
Skype has rated the issue covered by this Security Bulletin underthe CVSS scheme as follows:
Base metrics:
Access Vector (AV) ........... RemoteAccess Complexity (AC) ....... LowAuthentication (Au) .....,.... Not RequiredConfidentiality Impact (C) ... CompleteIntegrity Impact (I) ......... CompleteAvailability Impact (A) ...... CompleteImpact Bias (B) .............. Normal
Computed CVSS base score: 10.0
Temporal metrics as of 2005-10-25
Exploitability (E) ........... FunctionalRemediation Level (RL) ....... Official FixReport Confidence (RC) ....... Confirmed
Computed CVSS temporal score: 8.3
Skype participates in the CVSS by rating each identifiable securityvulnerability against the CVSS base metrics. In addition, Skypemay rate each vulnerability against temporal metrics from time totime. As suggested by the name, temporal metrics for a particularvulnerability may change from time to time.
More information about the CVSS may be obtained from the CVSS hostwebsite at http://www.first.org/cvss/.
8. Credits and additional information
This bug was referred to SKY-CERT by an external referrer, Mark Litchfield of Next Generation Security Software (NGSS), who did the research concerning VCARD importation. Based on this, Mark Rowe of Pentest Limited identified the same bug as it related to long URL handling. We would like to thank and credit these individuals for having referred this issue to Skype.
9. Bulletin release history
2005-10-25 Initial bulletin release
2005-10-27 Updated to correct credit information
10. Notices
Copyright 2005 Skype Technologies, S.A. All rights reserved.
This Skype Security Bulletin may be reproduced and distributed,provided that the Bulletin is not modified in any way and isattributed to Skype Technologies, S.A. and provided that repro-duction and distribution is performed for non-commercial purposes.
This Skype Security Bulletin is provided to you on an "AS IS" basisand may contain information provided by third parties. Skype makesno guarantees or warranties as to the information contained herein.ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUTLIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
Bulletin title: Buffer overflow in Skype-specific URI andVCARD import handling
Bulletin ID: SKYPE-SB/2005-002
Bulletin status: FINAL
Date of announcement: 2005-10-25 13:00:00 +0000
Date of last revision: 2005-10-27 15:05:15 +0000
Products affected: Skype for Windows
Vulnerability type: Buffer overflow
CVE references: CVE-2005-3265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-3265
Risk assessment: HIGH
CVSS base score: 10.0 (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)
Cross-references: http://qc.borland.com/wc/qcmain.aspx?d=4744SKYPE-SB/2004-001 (formerly SSA-2004-01)
Table of contents:
Problem description and brief discussion
Impact and affected software
Solution or work-around
Special instructions and notes
Software download location
Authenticity verification
Common Vulnerability Scoring System (CVSS) assessment
Credits and additional information
Bulletin release history
Notices
1. Problem description and brief discussion
Description
A security bug in the Skype for Windows user client has beenidentified and fixed.
Skype can be made to execute arbitrary code through a bufferoverflow when Skype is called upon to handle malformed URLs thatare in Skype-specific URI types callto:// and skype://.
In addition, Skype can be made to execute arbitrary code duringimportation of a VCARD that is in a specific non-standard format.
Discussion
This bug is a subsidiary effect of documented Borland Delphibug 4744 (http://qc.borland.com/wc/qcmain.aspx?d=4744).
Skype has replaced instances of the offending routine with onethat performs proper bounds-checking.
Note that this bug is similar to the issue previously reported inSKYPE-SB/2004-001 (formerly numbered as SSA-2004-01), but was notcaused by a reintroduction of the previously fixed source code.
This is tracked by Mitre CVE ID CVE-2005-3265.
2. Impact and affected software
Impact
A user could cause arbitrary code to be executed if a specially-crafted Skype-specific URL is clicked or if a specially-craftedVCARD is imported.
Affected software
The following Skype clients are vulnerable to this attack:
Skype for Windows:Releases 1.1.*.0 through 1.4.*.83
3. Solution or work-around
An official fix to the issue covered by this Security Bulletin hasbeen released. To implement this fix, update to one of thefollowing releases of Skype. (Downloading instructions are shownin Section 4 of this Bulletin.)
Skype for Windows:Release 1.4.*.84 or later
As a work-around prior to updating the Skype software, this bug maybe avoided by not selecting Skype-specific URIs and not importingVCARD records.
4. Special instructions and notes
None.
5. Software download location
The preferred method for installing security updates is to downloadthe software directly from Skype's website, from the website ofSkype's authorized partners, or from a reliable mirror site. Skypemay also be safely downloaded from other locations, but in thiscase it is particularly important that you verify the authenticityof the download.
We recommend that once you download any Skype software that youverify its integrity by the methods listed in Section 6 of thisBulletin.
You may install Skype by running the Skype installer using theinstallation commands displayed under the appropriate operatingsystem listed at http://www.skype.com/download/.
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP:http://www.skype.com/products/skype/windows/
x86 platform, Linux:http://www.skype.com/products/skype/linux/
PPC platform, Mac OS X v10.3 (Panther) or later:http://www.skype.com/products/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003:http://www.skype.com/products/skype/pocketpc/
6. Authenticity verification
- Bulletin authenticity verification:
Skype security bulletins are published on Skype's web site andvia mailing lists. The authenticity and integrity of a Skypesecurity bulletins may be determined by inspecting the crypto-graphic signature that is attached to each bulletin. All Skypesecurity bulletins are published with a valid digital signatureproduced by PGP.
- Software authenticity verification:
Both the Skype installer program and the Skype program that isinstalled by the installer are digitally signed.
For Skype software built for Microsoft Windows operatingenvironments, the digital certificate used by Skype to signsoftware packages is signed by "VeriSign Class 3 Code Signing 2004CA".
For Skype software built for Linux platforms, all packages aresigned by PGP key ID 0xD66B746E, the public component of which maybe downloaded from http://www.skype.com/products/skype/linux/.
- For general information about Skype security, please visit theSkype Security Resource Center at http://www.skype.com/security/.
7. Common Vulnerability Assessment System (CVSS) assessment
Skype has rated the issue covered by this Security Bulletin underthe CVSS scheme as follows:
Base metrics:
Access Vector (AV) ........... RemoteAccess Complexity (AC) ....... LowAuthentication (Au) .....,.... Not RequiredConfidentiality Impact (C) ... CompleteIntegrity Impact (I) ......... CompleteAvailability Impact (A) ...... CompleteImpact Bias (B) .............. Normal
Computed CVSS base score: 10.0
Temporal metrics as of 2005-10-25
Exploitability (E) ........... FunctionalRemediation Level (RL) ....... Official FixReport Confidence (RC) ....... Confirmed
Computed CVSS temporal score: 8.3
Skype participates in the CVSS by rating each identifiable securityvulnerability against the CVSS base metrics. In addition, Skypemay rate each vulnerability against temporal metrics from time totime. As suggested by the name, temporal metrics for a particularvulnerability may change from time to time.
More information about the CVSS may be obtained from the CVSS hostwebsite at http://www.first.org/cvss/.
8. Credits and additional information
This bug was referred to SKY-CERT by an external referrer, Mark Litchfield of Next Generation Security Software (NGSS), who did the research concerning VCARD importation. Based on this, Mark Rowe of Pentest Limited identified the same bug as it related to long URL handling. We would like to thank and credit these individuals for having referred this issue to Skype.
9. Bulletin release history
2005-10-25 Initial bulletin release
2005-10-27 Updated to correct credit information
10. Notices
Copyright 2005 Skype Technologies, S.A. All rights reserved.
This Skype Security Bulletin may be reproduced and distributed,provided that the Bulletin is not modified in any way and isattributed to Skype Technologies, S.A. and provided that repro-duction and distribution is performed for non-commercial purposes.
This Skype Security Bulletin is provided to you on an "AS IS" basisand may contain information provided by third parties. Skype makesno guarantees or warranties as to the information contained herein.ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUTLIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED.
posted by NetClarity at
6:55 AM
|
3 Comments
