SSA-2004-02: CALLTO HANDLING BUFFER OVERFLOW

Skype Security Advisory, November 17 2004

Overview

Certain versions of Skype for Windows contain a buffer overflow vulnerability that could possibly allow a remote attacker to execute arbitrary code with the privileges of the user running Skype.

Systems Affected

Microsoft Windows systems running Skype for Windows versions 1.0.*.94 to 1.0.*.98.

I. Description

A buffer overflow vulnerability exists in the way Skype parses command-line arguments. If Skype is executed with a command line longer than approximately 4096 characters, Skype would report an Access Violation and terminate. However, an attacker could use this vulnerability to overwrite the program stack with data given in the command line, thus giving rise to the possibility of injected code execution.

This vulnerability could be exploited in conjunction with the Skype-specific callto: URL. Once registered, Windows passes any callto: URL to Skype as a command-line argument. Therefore, if the user follows a specially-crafted long callto: URL, the victim instance of Skype could execute arbitrary code supplied by the attacker in the URL.

II. Impact

By inducing a user to click on a specially crafted callto: URL on a web page or in an HTML e-mail message, an attacker could possibly execute arbitrary code with the privileges of the user. The attacker could also cause Skype to crash.

III. Solution

Upgrade to Skype for Windows version 1.0.0.100 or higher.

http://www.skype.com/download/

IV. Credit

Skype thanks Fabian Becker for discovering and reporting this issue.

Contact

The security of users is Skype's highest priority. You can contact Skype Product Security Incident Response Team (PSIRT) by e-mailing securityskype.net. Past advisories and the Skype PSIRT PGP key are available at http://www.skype.com/security/.