Skype "NSRunAlertPanel" URI Argument Handler Format String
Release Date:
October 3rd, 2006
Severity:
High
Vendor:
Skype
Versions Affected:
Skype 1.5.0.79 and prior
Platforms Affected:
Apple Mac OSX 10.4 and prior
Overview:
A format string vulnerability exists within Skype for Mac, which allows for an attacker to send a user a specially crafted URL causing the application to crash, and or to execute arbitrary code.
Technical Details:
The issue is due to incorrect handling of arguments, which are passed to the NSRunAlertPanel (snprintf) function within the Skype URI handler. Below is the affected code.
NSRunAlertPanel(NSLocalizedString(@"Skype", @""),
[NSString stringWithFormat:NSLocalizedString(@"Couldn't call to %@. Invalid username or SkypeOut number.", @""), aTargetIdentity] , @"OK",nil,nil);
where aTargetIdentity == @"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
The following URL below will trigger this flaw.
IFRAME SRC=skype:%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
Vendor Status:
09/23/2006 - Vendor is notified.
09/29/2006 - Vendor acknowledges the vulnerability.
10/03/2006 - Vendor releases security patch.
Solution:
Install Skype 1.5, release 1.5.*.80 or later
Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com
Related Links:
http://security-protocols.com/vids/skype_osx_0day.htm
http://www.skype.com/security/skype-sb-2006-002.html
http://eBay.com