Skype 格式化字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111139 漏洞类型 输入验证
发布时间 2006-09-26 更新时间 2006-10-05
CVE编号 CVE-2006-5084 CNNVD-ID CNNVD-200609-521
漏洞平台 OSX CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28710
https://www.securityfocus.com/bid/20218
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-521
|漏洞详情
SkypeforAndroid是美国微软(Microsoft)公司的一套基于Android平台下的免费的语音通讯软件。该软件支持视频短信、语音信箱、蓝牙耳机、电话会议等功能。Skype没有正确地验证用户输入,远程攻击者可能通过格式串攻击触发空指针引用,导致拒绝服务或执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/20218/info

Skype is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before using it in the format-specification argument of a formatted-printing function.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application, potentially facilitating the remote compromise of affected computers.

Skype 1.5.0.79 and prior versions for Apple Mac OS X are vulnerable to this issue.

IFRAME SRC=skype:%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
|受影响的产品
Skype Technologies Skype 1.5 .79
|参考资料

来源:US-CERT
名称:VU#202604
链接:http://www.kb.cert.org/vuls/id/202604
来源:www.skype.com
链接:http://www.skype.com/security/skype-sb-2006-002.html
来源:BID
名称:20218
链接:http://www.securityfocus.com/bid/20218
来源:MISC
链接:http://www.security-protocols.com/modules.php?name=News&file=article&sid=3259
来源:VUPEN
名称:ADV-2006-3895
链接:http://www.frsirt.com/english/advisories/2006/3895
来源:SECTRACK
名称:1016966
链接:http://securitytracker.com/id?1016966
来源:MISC
链接:http://security-protocols.com/vids/skype_osx_0day.htm