SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#668193

Skype VCARD handling routine contains a buffer overflow

Overview

A buffer overflow in the way Skype handles imported VCARDs may allow a remote attacker to execute code on a vulnerable system.

I. Description

Skype software provides telephone service over IP networks. Skype fails to properly validate imported VCARDs, allowing a buffer overflow to occur. The buffer overflow may stem from an input validation error in the Delphi routine SysUtils.WideFmtStr(...).

For more information, please see Skype Security Bulletin SKYPE-SB/2005-002 and Delphi Bug Report 4744.

II. Impact

A remote attacker may be able to execute arbitrary code if they can persuade a user to import a specially crafted VCARD with a Skype-specific URI with a vulnerable Skype installation.

III. Solution

Upgrade Skype

Please see Skype Security Bulletin SKYPE-SB/2005-002 for a list of fixed Skype versions.

Do not import VCARDs from untrusted sources

Exploitation occurs by importing a specially crafted VCARD. By only accessing a VCARDs from trusted or known sources, the chances of exploitation are reduced.

Systems Affected

VendorStatusDate Updated
Skype TechnologiesVulnerable26-Oct-2005

References


http://secunia.com/advisories/17305/
http://www.skype.com/security/skype-sb-2005-02.html
http://qc.borland.com/wc/qcmain.aspx?d=4744

Credit

This vulnerability was reported by SKY-CERT. SKY-CERT credits Mark Rowe of Pentest Limited with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

Date Public10/25/2005
Date First Published10/26/2005 11:19:19 AM
Date Last Updated12/19/2005
CERT Advisory 
CVE NameCVE-2005-3265
US-CERT Technical Alerts 
Metric10.13
Document Revision11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader