Info

Disclosure

Nov 15, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

A remote overflow exists in Skype. The application fails to perform proper bounds checking resulting in a buffer overflow. By issuing a specially crafted callto:// URI request containing a non-existent username with 4,096 bytes or more, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.0.0.100 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Skype Technologies S.A.

Skype

1.0.0.97

References

Bugtraq ID: 11682
Secunia Advisory ID: 13191
ISS X-Force ID: 18063
CVE ID: 2004-1114 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0200.html
Vendor URL: http://www.skype.com/
Vendor Specific News/Changelog Entry: http://www.skype.com/products/skype/windows/changelog.html
Vendor Specific Advisory URL: http://www.skype.com/security/ssa-2004-02.txt

Credit

Berend-Jan Wever - skylinededup.tudelft.nl -

Direct URL: http://osvdb.org/36218