Did Russian Hackers Crash Skype?

← Back to Stories (view on slashdot.org)

Did Russian Hackers Crash Skype?

Posted by kdawson on Saturday August 18, 2007 @11:59AM from the flicking-a-domino dept.

An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.

12 of 108 comments (clear)

The code snippet seems to be wrong by ghost4096 · 2007-08-18 12:06 · Score: 4, Informative

The loop body will never execute....
1. Re:The code snippet seems to be wrong by tftp · 2007-08-18 12:16 · Score: 5, Funny
  
  It actually executes, I tried the loop just now.
2. Re:The code snippet seems to be wrong by eggnoglatte · 2007-08-18 12:37 · Score: 4, Informative
  
  Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.
3. Re:The code snippet seems to be wrong by svallarian · 2007-08-18 14:16 · Score: 5, Funny
  
  It's obviously a typo. Since it was Russian code, it was supposed to be xCCCP
  
  --
  I patented screwing your mom. But it got revoked for "prior art."
4. Re:The code snippet seems to be wrong by ThePhilips · 2007-08-18 19:57 · Score: 4, Informative
  
  Well, this is very very very old Russian hacker tradition: introduce flaw in the crack/exploit to prevent it from being (ab)used by idiots.
  
  --
  All hope abandon ye who enter here.
5. Re:The code snippet seems to be wrong by eneville · 2007-08-18 21:56 · Score: 4, Informative
  
  Hex constants in Perl, like C/C++ have to start with "0", so the correct syntax for what you describe would be 0xCCCCC. Without the leading 0, the expression gets interpreted as a variable name.
  no, octal numbers start with 0. hex numbers start with x. typo: no, octal numbers start with 0. hex numbers start with 0x.
  
  --
  Why UNIX?
Translation by ACS+Solver · 2007-08-18 12:14 · Score: 5, Informative

Here's the article's introductory part properly translated.

"The reason for yesterday's downtime of the Skype network is research of Russian crackers, as reported by one of our readers.

While searching for a local buffer overflow, a possibility was found to send a long string to the server, overflowing its buffer and causing the server to go down. Its place is taken by another server from the P2P network, the error arises on it in the same way, and so on. As a result, the entire Skype network refused service for several hours and the developer team was forced to turn off authentication.

Here's the exploit code:"
1. Re:Translation by mobby_6kl · 2007-08-18 12:38 · Score: 4, Informative
  
  You've got to be kidding, I was about to submit my own translation! :)
  
  Anyway, your version is probably a little better, so I'll contribute with something else. The script is very short too, so here it is:
  #!/usr/bin/perl # Simle Code by Maranax Porex ;D # Ya Skaypeg!! for ($i=256; $i>xCCCCC; $i=$i+256) { $eot='AAAA' x $i; call_sp(); } exit; sub call_sp() { $str="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" \"/uri:$eot\""; system("$str"); }
  The first page of comments seems to be just the usual bunch of trolls, assholes, and simply useless posts, except for one that claims the code has been shown not to do anything on a dedicated security site. The Skype article on the front page doesn't contain any additional information. The attack looks almost too simple to work, but I wasn't able to find any strong evidence that would suggest that it doesn't, at least not with a few quick searches.
Re:IN SOVIET RUSSIA by Arthur+Grumbine · 2007-08-18 12:17 · Score: 4, Funny

And the long string was... "In Soviet Russia we are tired of all the mindless obligatory comments about the beloved Motherland."

--
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
They hired DoS specialists against their own users by rpp3po · 2007-08-18 12:21 · Score: 4, Interesting

Skype's login servers usually don't carry much load compared to the mass of traffic routed directly between all nodes via P2P. My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master. I bet Slashdot wouldn't be prepared for all of its users connecting at the same time, either. But it needs not to. It is never going to happen (why should it? - well how about December 1st, 1AM UTC everybody?). With Skype it's different. They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently! Obviously they weren't prepared. If you watched the aftermath closely you could see that they started filtering by IP on day two. Only a certain number of clients were allowed to connect per IP range. They probably hired super expensive DoS emergency contractors to get this back up. A hack is still possible, but I rather guess that it brought the network down, but did not keep it from coming back up. That was Skype's own fault.
fake? by arghblubber · 2007-08-18 12:33 · Score: 5, Informative

http://www.ush.it/2007/08/18/why-the-skype-0day-ex ploit-is-a-fake/
coincidence? by TheSHAD0W · 2007-08-18 12:44 · Score: 5, Informative

I bet people are trying exploits against Skype (and other popular servers and services) all the time. If someone tries something funny, and the system crashes a few seconds afterwards, they may assume they were the cause.