|
|
Log in / Subscribe / Register

Security

A trojan for Skype

By Jake Edge
September 2, 2009

A recent report about a Skype trojan that could extract voice calls as mp3 files and ship them off to other locations led to an interesting discussion on the Fedora users mailing list. The trojan itself is somewhat unsurprising as there have been persistent rumors about wiretapping back doors in Skype for some time. The trojan is Windows-only, but it does come with most of the source code, which makes it interesting to those who study malware. While not a direct threat to Linux users, it does highlight a number of privacy and security issues to ponder.

Skype is a popular voice over IP (VoIP) application that runs on Linux, Mac OS X, and Windows. Part of its appeal is that there are many users of the free (as in beer) software, so folks can make free phone calls to many of their friends and family. But it is a closed source tool that resists attempts to reverse-engineer its protocol, so there are no interoperable free (as in freedom) equivalents.

Daniel B. Thurman brought up the trojan and wondered if it was an example of the back doors or interception facilities that governments have long been rumored to be pushing for Skype. That set off a thread in which "black helicopters" made a tongue-in-cheek appearance, but there were also more serious postings. Marko Vojinovic asks about whether there are ongoing attempts to reverse-engineer the Skype protocol:

I have a feeling that the majority of Linux users would switch to Ekiga or something else open source, if only it gave them support to communicate with skype peers on the other end. Linux folks (myself included) use skype mainly because all their friends and other contacts also use it, and it is completely impossible to convince them all to go the open source way. But if Ekiga would support the protocol, it would eliminate the need to install or use skype binary itself, while functionality would be preserved. Not to mention better support for sound and video hardware etc.

There are a number of problems with that, as was pointed out, including the likelihood that Skype would change the protocol to cripple interoperability, much as instant messaging companies have done along the way. Roberto Ragusa noted that there have been people who looked at Skype, but they "found that it contains tons and tons of cryptography, obfuscation and countermeasures against debugging or reverse engineering." That is of concern he said because one cannot be sure of exactly what it's doing: "A closed source code like that and with an explicit purpose to build a crypted P2P network bypassing firewalls with every trick possible is something to be nervous about."

Alan Cox had some additional thoughts on reverse-engineering the code: "The person who completely reverse engineers skype probably destroys it. If you can write a skype client [then] the spammers can write skype spam tools as well." He also mentions the "mostly circumstantial" evidence that law enforcement has added intercept facilities to Skype itself. Furthermore, anyone who might be working on the problem has good reason to do it quietly, he said:

I would imagine anyone doing so is keeping fairly quiet - there is big money on offer from the bad guys for skype trojans, intercepts and clients, while anyone on the good side fiddling with it faces jail and [harassment] - a fine example of perverse economic incentives.

So, we have a closed source application, which uses malware-like techniques to obfuscate its functioning, and folks willingly run it on their computers. In some ways, that's no different than any other closed source application, but there are a few differences. Skype, by its very nature, must use the network to send encrypted data to multiple untrusted machines elsewhere. While it may not be compromised by governmental authorities in the standard binary, it is a known target of those entities, and this trojan demonstrates a way that it might be compromised. Overall, it would seem there are a few risks to both security and privacy from that kind of application—more so than a closed source word processor or non-networked game.

Free software solutions, like Ekiga, may be able to overcome some of the shortcomings of Skype. But, if those solutions become popular, they are likely to run afoul of the spammers and scammers that Cox warns about. It's likely to be true of regular and cellular phone service as well, but a warning from "Tim" in the thread is worth repeating:

Moral of the story; don't conduct illegal business over it, don't conduct legal but confidential conversations over it; and if you're in one of those places where criticising the government has nasty repercussions, I wouldn't do that over it, either.

While Skype provides a nice service—without charge in many cases—it does present a bit of a privacy headache. If it can be subverted for wiretapping purposes, it can undoubtedly be subverted for other reasons. Some of those could present security headaches as well. Since we don't really know what the Skype code does when it isn't infected, it will be difficult to determine if its behavior changes in a malicious way. That should be a little worrisome.

Comments (21 posted)

Brief items

What the Internet knows about you

A new site at whattheinternetknowsaboutyou.com is an interesting demonstration of CSS-related browser history disclosure vulnerabilities. This site is able to produce a surprisingly comprehensive list of sites that one has visited, down to the level of specific pages on social networking sites and such. No JavaScript required. There's also information on just how the site works and how the disclosure of information can be minimized. "It is a source of amazement to us that such an obvious and well-documented history sniffing channel has been allowed to exist for so many years. We cannot help but wonder why, despite all the malicious potential, such a hole has not yet been closed."

Comments (25 posted)

Illustrating the Linux sock_sendpage() NULL pointer dereference

Ramon de Carvalho Valle has released an exploit for the Linux sock_sendpage null pointer dereference vulnerability. The exploit was originally written to determine whether it was exploitable on the Power/Cell architecture, but was later expanded for i386 and x86_64. Many distribution kernels were tested using the exploit, and the results are included in the report to the bugtraq mailing list. The code may be of general interest, but also could be used on other kernels to determine if the problem has been addressed. Click below for the full report along with a link to the code.

Full Story (comments: 3)

Apache.org compromised

The Apache project has suffered a server compromise which took the site off the net for some hours. "To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided."

Comments (17 posted)

New vulnerabilities

dnsmasq: heap overflow, NULL pointer dereference

Package(s):dnsmasq CVE #(s):CVE-2009-2957 CVE-2009-2958
Created:September 1, 2009 Updated:October 14, 2009
Description: From the Red Hat advisory:

Core Security Technologies discovered a heap overflow flaw in dnsmasq when the TFTP service is enabled (the "--enable-tftp" command line option, or by enabling "enable-tftp" in "/etc/dnsmasq.conf"). If the configured tftp-root is sufficiently long, and a remote user sends a request that sends a long file name, dnsmasq could crash or, possibly, execute arbitrary code with the privileges of the dnsmasq service (usually the unprivileged "nobody" user). (CVE-2009-2957)

A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP service is enabled. This flaw could allow a malicious TFTP client to crash the dnsmasq service. (CVE-2009-2958)

Alerts:
Fedora FEDORA-2009-10285 dnsmasq 2009-10-06
Gentoo 200909-19 dnsmasq 2009-09-20
Ubuntu USN-827-1 dnsmasq 2009-09-01
Debian DSA-1876-1 dnsmasq 2009-09-01
CentOS CESA-2009:1238 dnsmasq 2009-09-01
SuSE SUSE-SR:2009:014 dnsmasq, icu, libcurl3/libcurl2/curl/compat-curl2, Xerces-c/xerces-j2, tiff/libtiff, acroread_ja, xpdf, xemacs, mysql, squirrelmail, OpenEXR, wireshark 2009-09-01
Red Hat RHSA-2009:1238-01 dnsmasq 2009-08-31
Fedora FEDORA-2009-10252 dnsmasq 2009-10-06

Comments (none posted)

gfs2-utils: temporary file vulnerabilities

Package(s):gfs2-utils CVE #(s):CVE-2008-6552
Created:September 2, 2009 Updated:February 16, 2011
Description: The gfs2-utils package suffers from multiple temporary file vulnerabilities which could be exploited by a local hacker to overwrite arbitrary files.
Alerts:
Red Hat RHSA-2011:0264-01 rgmanager 2011-02-16
Red Hat RHSA-2011:0265-01 ccs 2011-02-16
Ubuntu USN-875-1 redhat-cluster, redhat-cluster-suite 2009-12-18
CentOS CESA-2009:1341 cman 2009-09-15
CentOS CESA-2009:1339 rgmanager 2009-09-15
CentOS CESA-2009:1337 gfs2-utils 2009-09-15
Red Hat RHSA-2009:1341-02 cman 2009-09-02
Red Hat RHSA-2009:1339-02 rgmanager 2009-09-02
Red Hat RHSA-2009:1337-02 gfs2-utils 2009-09-02

Comments (none posted)

htmldoc: stack-based buffer overflow

Package(s):htmldoc CVE #(s):
Created:September 1, 2009 Updated:September 2, 2009
Description: From the Red Hat bugzilla: A stack-based buffer overflow by processing user-supplied input was found in HTMLDOC's routine, used to set the result page output size for custom page sizes. A remote attacker could provide a specially-crafted HTML file, which once opened by an unsuspecting user, would lead to denial of service (htmldoc crash).
Alerts:
Fedora FEDORA-2009-8611 htmldoc 2009-08-15
Fedora FEDORA-2009-8595 htmldoc 2009-08-15

Comments (none posted)

ikiwiki: information disclosure

Package(s):ikiwiki CVE #(s):CVE-2009-2944
Created:September 1, 2009 Updated:April 1, 2010
Description: From the Debian advisory: Josh Triplett discovered that the blacklist for potentially harmful TeX code of the teximg module of the Ikiwiki wiki compiler was incomplete, resulting in information disclosure.
Alerts:
Fedora FEDORA-2009-9244 ikiwiki 2009-09-03
Fedora FEDORA-2009-9254 ikiwiki 2009-09-03
Debian DSA-1875-1 ikiwiki 2009-08-31

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-2691
Created:August 27, 2009 Updated:March 23, 2010
Description: From the National Vulnerability Database entry: "The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30.4 and earlier allows local users to read (1) maps and (2) smaps files under proc/ via vectors related to ELF loading, a setuid process, and a race condition."
Alerts:
Red Hat RHSA-2010:0161-01 kernel-rt 2010-03-23
Debian DSA-2004-1 linux-2.6.24 2010-02-27
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Fedora FEDORA-2009-9044 kernel 2009-08-27

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-2767
Created:August 27, 2009 Updated:October 22, 2009
Description: From the National Vulnerability Database entry: "The init_posix_timers function in kernel/posix-timers.c in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (OOPS) or possibly gain privileges via a CLOCK_MONOTONIC_RAW clock_nanosleep call that triggers a NULL pointer dereference."
Alerts:
Fedora FEDORA-2009-9044 kernel 2009-08-27
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22

Comments (none posted)

libmikmod: two denial of service vulnerabilities

Package(s):libmikmod CVE #(s):CVE-2007-6720 CVE-2009-0179
Created:August 31, 2009 Updated:October 11, 2010
Description:

From the Red Hat bugzilla entries [1 and 2]:

CVE-2009-0179: A denial of service flaw was found in the MikMod player, used for playing MOD files. If an attacker would trick the mikmod user to load an XM file, this could lead to denial of service (application crash).

CVE-2007-6720: A denial of service flaw was found in the MikMod player, used for playing MOD files. If an attacker would trick the mikmod user to play multiple MOD using files with varying number of channels, this could lead to denial of service (application crash or abort).

Alerts:
Ubuntu USN-995-1 libmikmod 2010-09-29
Red Hat RHSA-2010:0720-01 mikmod 2010-09-28
CentOS CESA-2010:0720 mikmod 2010-10-10
CentOS CESA-2010:0720 mikmod 2010-09-29
CentOS CESA-2010:0720 mikmod 2010-09-29
Mandriva MDVSA-2009:272-1 libmikmod 2009-12-05
Fedora FEDORA-2009-9112 libmikmod 2009-08-28
Fedora FEDORA-2009-9095 libmikmod 2009-08-28
Mandriva MDVSA-2009:272 libmikmod 2009-10-12

Comments (none posted)

mono: cross-site scripting vulnerabilities

Package(s):mono CVE #(s):CVE-2008-3422
Created:August 27, 2009 Updated:December 7, 2009
Description: From the National Vulnerability Database entry: "Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted attributes related to (1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs (RenderAttributes), (3) HtmlInputButton (RenderAttributes), (4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect (RenderChildren). "
Alerts:
Mandriva MDVSA-2009:322 mono 2009-12-07
Mandriva MDVSA-2009:268 mono 2009-10-12
Ubuntu USN-826-1 mono 2009-08-26

Comments (none posted)

openssh: information disclosure

Package(s):openssh CVE #(s):CVE-2008-5161
Created:September 2, 2009 Updated:March 8, 2010
Description: Openssh is vulnerable to a specific man-in-the-middle attack which could be able to obtain a piece of plain text when the CBC cipher mode is used.
Alerts:
Gentoo 201405-06 openssh 2014-05-11
rPath rPSA-2010-0011-1 openssh 2010-03-07
CentOS CESA-2009:1287 openssh 2009-09-15
Red Hat RHSA-2009:1287-02 openssh 2009-09-02

Comments (none posted)

squirrelmail: cross-site request forgery

Package(s):squirrelmail CVE #(s):CVE-2009-2964
Created:August 31, 2009 Updated:August 13, 2010
Description:

From the Mandriva advisory:

All form submissions (send message, change preferences, etc.) in SquirrelMail were previously subject to cross-site request forgery (CSRF), wherein data could be sent to them from an offsite location, which could allow an attacker to inject malicious content into user preferences or possibly send emails without user consent (CVE-2009-2964).

Alerts:
Debian DSA-2091-1 squirrelmail 2010-08-12
Mandriva MDVSA-2009:222 squirrelmail 2009-08-28
CentOS CESA-2009:1490 squirrelmail 2009-10-08
Red Hat RHSA-2009:1490-01 squirrelmail 2009-10-08

Comments (none posted)

wordpress: open redirect vulnerability

Package(s):wordpress CVE #(s):CVE-2008-6762
Created:August 27, 2009 Updated:September 2, 2009
Description: From the National Vulnerability Database entry: "Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter."
Alerts:
Debian DSA-1871-2 wordpress 2009-08-27

Comments (none posted)

wordpress: denial of service

Package(s):wordpress CVE #(s):CVE-2008-6767
Created:August 27, 2009 Updated:September 2, 2009
Description: From the National Vulnerability Database entry: "wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request."
Alerts:
Debian DSA-1871-2 wordpress 2009-08-27

Comments (none posted)

wordpress: password vulnerability

Package(s):wordpress CVE #(s):CVE-2008-4106
Created:August 27, 2009 Updated:September 2, 2009
Description: From the National Vulnerability Database entry: "WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames, which allows remote attackers to change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability.""
Alerts:
Debian DSA-1871-2 wordpress 2009-08-27

Comments (none posted)

wordpress: directory traversal vulnerability

Package(s):wordpress CVE #(s):CVE-2008-4769
Created:August 27, 2009 Updated:September 2, 2009
Description: From the National Vulnerability Database entry: "Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information."
Alerts:
Debian DSA-1871-2 wordpress 2009-08-27

Comments (none posted)

wordpress: cross-site request forgery vulnerability

Package(s):wordpress CVE #(s):CVE-2008-5113
Created:August 27, 2009 Updated:September 2, 2009
Description: From the National Vulnerability Database entry: "WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection."
Alerts:
Debian DSA-1871-2 wordpress 2009-08-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds