Skype "NSRunAlertPanel" URI Argument Handler Format String


Skype "NSRunAlertPanel" URI Argument Handler Format String

Release Date:
October 3rd, 2006

Severity:
High

Vendor:
Skype

Versions Affected:
Skype 1.5.0.79 and prior


Platforms Affected:
Apple Mac OSX 10.4 and prior


Overview:
A format string vulnerability exists within Skype for Mac, which allows for an attacker to send a user a specially crafted URL causing the application to crash, and or to execute arbitrary code.

Technical Details:
The issue is due to incorrect handling of arguments, which are passed to the NSRunAlertPanel (snprintf) function within the Skype URI handler. Below is the affected code.

NSRunAlertPanel(NSLocalizedString(@"Skype", @""),
[NSString stringWithFormat:NSLocalizedString(@"Couldn't call to %@. Invalid username or SkypeOut number.", @""), aTargetIdentity] , @"OK",nil,nil);


where aTargetIdentity == @"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"


The following URL below will trigger this flaw.


IFRAME SRC=skype:%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n


Vendor Status:
09/23/2006 - Vendor is notified.
09/29/2006 - Vendor acknowledges the vulnerability.
10/03/2006 - Vendor releases security patch.


Solution:
Install Skype 1.5, release 1.5.*.80 or later


Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/vids/skype_osx_0day.htm
http://www.skype.com/security/skype-sb-2006-002.html
http://eBay.com


2006 Security-Protocols LLC