Vulnerability research advisories come in all shapes and styles. Some companies release brief summaries with no technical details as part of their responsible disclosure policy. Some security researchers will release incredibly detailed reports full of technical details and all of the information one could need regarding the issue. In at least one case, we find the weirdest combination of lengthy advisories that offer up the least amount of information possible.
The following advisory from Vulnerability Research Labs (vulnerability-lab.com) is not necessarily the worst, but it is indicative of their advisories. The most troubling part is that the group obviously spends a lot of time writing them, but it doesn’t appear they spend much time actually researching or reading their own advisories. Oh, and they also don’t understand how text advisories and HTML works.
Looking at their Skype “corruption” advisory, you first have to qualify “which one?” The copy of the main advisory on their web page references itself and has no technical details. That advisory also says to visit another advisory that has most of the same information, but in turn links to a local copy of a video and a YouTube version. But, you have to copy/paste the URLs in your browser, because they don’t provide HTML links. If you try to access their local copy, you get “Not available or existing Website!“, along with a nice server version (localhost Port 8080 Apache/2.2.8 (Red Hat) mod_python/3.3.1 Python/2.4.4 PHP/5.2.0-10 mod_perl/2.0.2 Perl/v5.8.8 Server), and then redirection to their main page. Fortunately, the YouTube video works, not that it really helps much with bad music and an overly long demo.
To actually get technical details, you have to go somewhere else completely, like PacketStorm. I am at a loss for why they expect anyone to go through so much to figure out the details of a rather pedestrian vulnerability. That said, we’ll take a look at the PacketStorm copy since it offers the most text; I can’t say that it offers the most information.
The following advisory was the straw that broke the proverbial back (perhaps if I was a camel, I would not be so angry). After weeks of dealing with these crappy advisories, I felt the need to rant about them rather than try to process this one.
Title: ====== Skype 5.8x 5.5x - Corruption & Persistent Vulnerability
I understand there is a language barrier here, but “corruption” is pretty vague, even for a title. Memory corruption? Data corruption? What does “& Persistent” mean in that context? What should be one simple piece of information is already off to a bad start.
References: =========== http://www.vulnerability-lab.com/get_content.php?id=455 MRSC ID: 12250 VIDEO: http://vulnerability-lab.com/get_content.php?id=457 ;) VL-ID: ===== 455
Eight text lines and what do we get? A link to the copy on their web site, with less information than this, a MSRC ID (which is pretty rare to see in any advisory), a link to an advisory that only offers two links to a video (with one that doesn’t work), and a “VL-ID”. The VL-ID is their own ID scheme, and apparently they think it is important to include and that no one could deduce it from their URL scheme.
Common Vulnerability Scoring System: ==================================== 8.6
On the surface, this seems valuable. It isn’t. First, this information does not appear in the PacketStorm copy, but does appear on their web site copy. On the web site copy, 26 lines later we see “Severity: High”. Wouldn’t these be better suited together under the same heading? Worse, they don’t “show their work” on how the CVSS score is derived. They don’t even indicate if it is a CVSSv1 or CVSSv2 score. More importantly, how the hell do they get a score of 8.6 off this vulnerability?
To summarize: two users of Skype, one pastes the right ‘bad’ characters in chat, and it throws up a pop-up box and causes an annoyance. Their video demonstration doesn’t show anything more than maybe stopping communication with the person you send the garbage to. They don’t show the program terminating completely, instead, they show the program still working somewhat. A quick CVSS score check and I only get 4: (AV:N/AC:L/AU:S/C:N/I:N/A:P). Even if you jack availability from ‘partial’ to ‘complete’, you still only get 6.8. That calls into question their knowledge of the vulnerabilities and/or how CVSS works.
Introduction: ============= Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
Not sure who was the first to add a product description to an advisory, but I can almost understand it. Just in case a non-security person was reading it and didn’t know what a product did, it is helpful. For security researchers, it is helpful if the product is not well known and the name doesn’t indicate what it does. But seriously, after the first line, what is the benefit of the text above? Do we really need to know where the headquarters is, or the location of employees? Finally, these morons don’t know or understand what Wikipedia is. In several advisories they refer to the Wikipedia link as “copy of the vendor homepage”, when it is nothing of the sort. It is where they are taking the product description, forcing us to click on yet another link to get information we may want (e.g., the vendor home page).
Abstract: ========= The Vulnerability-Lab Team discovered a remote pointer corruption with persistent weakness on Skypes v184.108.40.206 Windows 7 & MacOS v5.5.2340.
Language Barrier Alert!
Report-Timeline: ================ 2012-02-24: Vendor Notification 2012-02-25: Vendor Response/Feedback 2012-03-20: Vendor Fix/Patch by Check 2012-03-29: Public or Non-Public Disclosure
I am a fan of disclosure timelines and think they should be part of every advisory. So I commend them on adding four of the seven dates that OSVDB likes to track. However, there is one thing in many of their timelines; why can’t they figure out if it is a public or non-public disclosure? When you post it to your web site and PacketStorm, it is public disclosure. If this timeline seems good, consult advisory #3, advisory #136, or advisory #137 instead. Or perhaps others where they “discover” the vulnerability over a year after they verified it? We have to wonder what “Censorship of Advisory with Reason” means as well. Is it related to Vulnerability Labs censoring dates perhaps?
Status: ======== Published
This is another line that defies explanation. If we’re reading it, don’t we know it is published? Should we expect to see “Leaked” if one of their advisories is taken and released without their knowledge?
Affected Products: ================== Skype Windows, MacOs & Linux
This seems like a reasonable piece of information at first. Then you notice that their web site copy gives more information:
Product: Skype – Windows, MacOs & Linux v220.127.116.11, 18.104.22.1680, 2.2 Beta
If you read on, then you also notice that they can’t get their versions straight, and leave you wondering which version of Skype on Windows is really vulnerable.
Exploitation-Technique: ======================= Remote
Severity: ========= High
See above, the rant after the wonky CVSS score.
Details: ======== A pointer corruption vulnerability is detected on the windows v22.214.171.124 & macos v5.5.2340 client of the skype software. The bug is located in the software when processing special crafted symbole messages via communication box. The vulnerability allows an attacker to freeze, block, crash or destroy the communication messagebox of the connected conference persons/teams. The bug also has an persistent weakness vector which allows an remote attacker to implement the symbole string to the contact user requests messagebox. The result is also a stable persistent error message and a client denial of service. Attackers can also implement the test poc to the group labelname which results in a stable group error with different exceptions. The facebook integration allows to sync the account with skype and can also redisplay the issue with the error via facebook module and wallposting. The callto function allows an attacker to implement the issue persistent on a victim user profile by using the symbole string as nickname.
Wait, Skype 126.96.36.199 for Windows? You said it was 188.8.131.52 elsewhere, which is it? And why no mention of Linux here? Note that it also says you can create a denial of service “of the connected conference persons/teams”, which does not sound like it impacts availability fully, meaning their CVSS score is way off.
Vulnerable Module(s): [+] MessageBox & Request Contact [+] Contact Request Messagebox - Add Skype User [+] Group Topic & Group Information Name [+] Facebook integration - Connect Account Wall Postings
After reading dozens of their advisories, this has to be the most frustrating part. Rather than give script and variable names, they just give “modules”. Even when the vulnerable function isn’t a module, or part of a module. This one part of their advisory has caused more frustration for vulnerability databases than any other.
Affected OS version(s): [+] Windows v184.108.40.206, MacOS 220.127.116.110 & Linux 2.2 Beta
First, why have “affected products” above, and “affected OS versions” here? Consolidate them, don’t make the advisory longer and more useless. Second, do they not understand what “OS” means? These are the versions of the Skype software, not the underlying operating system.
Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png ../8.png ../9.png ../10.png ../11.png ../12.png ../13.png ../14.png ../5.png ../6.png ../7.png ../8.png ../9.png ../10.png ../11.png ../12.png ../13.png
Welcome to the most braindead portion of their advisory! Here, we have a long list of images (with several duplicates) that offer absolutely nothing. The filenames give no hint as to what they represent. Obviously, they don’t work on PacketStorm or a mail list. However, these idiots also don’t make them working links on their own site. How can a group publish dozens of advisories with this crap, and never realize that it is completely worthless?
The vulnerability can be exploited by remote attackers with & without required user inter action. For demonstration or reproduce ... PoC: [..]
The proof of concept they include also demonstrates, at least for this vulnerability, the technical prowess we are dealing with. You get a big glob of ‘bad stuff’ to paste into a field in Skype. No explanation of what is going on under the hood. No research to determine if it is a specific character, the presence of that character a certain amount of times, or what the fundamental problem is. I am sure that one of these ‘researchers’ was chatting with his buddies on Skype, pasted something from a web page, and accidentally discovered it. That is fine, many vulnerabilities are discovered exactly that way. The only difference is that most of the time, people who spend so much time writing up a formal advisory actually research the issue more.
Note: They never seem to include a proof of concept on the advisory hosted on their own site. You always have to go to PacketStorm or another source to find it.
Reference(s): ../poc1.txt ../poc2.txt ../callto.txt
Just like the “pictures” above, we get hints that there are easier proof of concept files available. But just hints, because the morons can’t link to these either, even on their own web site.
Solution: ========= The attack vector has been removed in the old version (18.104.22.168) via hotfix and the issue is addressed by skype. Update to Skype v22.214.171.124
Mac users? Linux users? Any solution for them? And seriously, the vulnerability has not been removed from 126.96.36.199, it has been removed in the new version.
Risk: ===== The security risk of the remote denial of service vulnerability via pointer corruption is estimated as high(-).
Estimated?! The point of CVSS scores and a risk model is to have a repeatable and logical method for deriving numeric risk. This silly “best guess” method is what leads to a CVSS score of 8.6 when it is really closer to 4.
Credits: ======== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve), Alexander Fuchs (f0x23) & Ucha Gobejishvili
Here we learn the three people chatting when one of them discovered this awesome DoS. But seriously, it took three of you to “research” and then document this vulnerability in the most horrible way possible? You should not be proud of this advisory. Employers, if you see these names on a resume and they are looking for security work, steer clear.
Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers.
Search Google for any phrase from this. Way to borrow a disclaimer from other sources, that you likely don’t understand one bit. But hey, it makes you look legit, yo!