Did Russian Hackers Crash Skype?

An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.

The code snippet seems to be wrong

[ghost4096]

The loop body will never execute....

Re:The code snippet seems to be wrong

[eggnoglatte]

Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.

Re:The code snippet seems to be wrong

[lgftsa]

It's the other way around. xCCCC is not a valid number in perl, so the loop will never exit.

Re:The code snippet seems to be wrong

[ThePhilips]

Well, this is very very very old Russian hacker tradition: introduce flaw in the crack/exploit to prevent it from being (ab)used by idiots.

Re:The code snippet seems to be wrong

[eneville]

Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.
no, octal numbers start with 0. hex numbers start with x. typo: no, octal numbers start with 0. hex numbers start with 0x.

Translation

[ACS+Solver]

Here's the article's introductory part properly translated.

"The reason for yesterday's downtime of the Skype network is research of Russian crackers, as reported by one of our readers.

While searching for a local buffer overflow, a possibility was found to send a long string to the server, overflowing its buffer and causing the server to go down. Its place is taken by another server from the P2P network, the error arises on it in the same way, and so on. As a result, the entire Skype network refused service for several hours and the developer team was forced to turn off authentication.

Here's the exploit code:"

Re:Translation

[mobby_6kl]

You've got to be kidding, I was about to submit my own translation! :)

Anyway, your version is probably a little better, so I'll contribute with something else. The script is very short too, so here it is:

#!/usr/bin/perl
# Simle Code by Maranax Porex ;D
# Ya Skaypeg!!
 
for ($i=256; $i>xCCCCC; $i=$i+256)
{
$eot='AAAA' x $i;
call_sp();
}
exit;
 
sub call_sp()
{
$str="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" \"/uri:$eot\"";
system("$str");
}

The first page of comments seems to be just the usual bunch of trolls, assholes, and simply useless posts, except for one that claims the code has been shown not to do anything on a dedicated security site. The Skype article on the front page doesn't contain any additional information. The attack looks almost too simple to work, but I wasn't able to find any strong evidence that would suggest that it doesn't, at least not with a few quick searches.

fake?

[arghblubber]

http://www.ush.it/2007/08/18/why-the-skype-0day-ex ploit-is-a-fake/

Re:Look

[Traa]

You think that strncpy is safe??

The following code snippets assume pszSrc is smaller or equal to 50 chars

// Example #1

#define MAX (50)
char *pszDest = malloc(sizeof(pszSrc));
strncpy(pszDest,pszSrc,MA X);

// Example #2

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX);

// Example #3

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX);
pszDest [MAX] = '\0';

// Example #4

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX-1);
strnc at(szDest,pszSrc,MAX-1);

// Example #5

char szDest[50];
_snprintf(szDest, strlen(szDest), "%s",szSrc);

Which of the above is safe?

Not a single one!

#1: sizeof(pszSrc) is 4 if pszSrc is a pointer, not a staticly-allocated array.
#2: szDest is left unterminated if strlen(pszSrc) equals MAX
#3: Writing "szDest[MAX]" overruns the array
#4: Misuse of the size parameter to strncat, it should be the space left, not the total space in the array.
#5: Author of that code doesn't understand strlen ;)

Sorry, you didn't get the job.

The above snippet was taken from here

coincidence?

[TheSHAD0W]

I bet people are trying exploits against Skype (and other popular servers and services) all the time. If someone tries something funny, and the system crashes a few seconds afterwards, they may assume they were the cause.

Re:Look

[cortana]

s/inefficient BSD crap/functions that result in silent loss of data/

Just watch the Skype blogs...

[vistic]

The Skype blog had info being posted all during the outage, and will have a summary of what happened soon. They never indicated it was anything related to any outside intrusion.

Re:They hired DoS specialists against their own us

[FireFury03]

I use Skype a fair amount, and I find it rather flaky.

Why don't you switch to an open protocol which might not be so flakey?

If anyone has had good experiences with alternatives to Skype, that are multi-platform and support voice conferencing of 4-8 people, please let me know!

Set up a CallWeaver server. I use CallWeaver as my server and Ekiga as my softphone and it works fine (also a UTStarCom F1000G as a WiFi phone, but I have all sorts of problems with that owing to UTStarCom's flakey firmware which they won't fix). At my old job we found that SJPhone and X-Lite were reasonable alternatives to Ekiga for the Windows users (although there is a Windows version of Ekiga but my experience is that it's not entirely stable).

You can also use one of the many SIP/PSTN gateways, such as VoIPUser, to gateway calls in from the PSTN if not everyone is able to use VoIP.

Re:Skype and Patriot act maybe not hackers?

[RAMMS+EIN]

Man, you ever notice that return key on your keyboard? You should use it once in a while...