Did Russian Hackers Crash Skype? 108
An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.
The code snippet seems to be wrong (Score:4, Informative)
Translation (Score:5, Informative)
"The reason for yesterday's downtime of the Skype network is research of Russian crackers, as reported by one of our readers.
While searching for a local buffer overflow, a possibility was found to send a long string to the server, overflowing its buffer and causing the server to go down. Its place is taken by another server from the P2P network, the error arises on it in the same way, and so on. As a result, the entire Skype network refused service for several hours and the developer team was forced to turn off authentication.
Here's the exploit code:"
fake? (Score:5, Informative)
Re:Look (Score:2, Informative)
The following code snippets assume pszSrc is smaller or equal to 50 chars
// Example #1
// Example #2
// Example #3
// Example #4
// Example #5
Which of the above is safe?Not a single one!
#1: sizeof(pszSrc) is 4 if pszSrc is a pointer, not a staticly-allocated array.
#2: szDest is left unterminated if strlen(pszSrc) equals MAX
#3: Writing "szDest[MAX]" overruns the array
#4: Misuse of the size parameter to strncat, it should be the space left, not the total space in the array.
#5: Author of that code doesn't understand strlen
Sorry, you didn't get the job.
The above snippet was taken from here [msdn.com]
Re:The code snippet seems to be wrong (Score:4, Informative)
Re:Translation (Score:5, Informative)
Anyway, your version is probably a little better, so I'll contribute with something else. The script is very short too, so here it is: The first page of comments seems to be just the usual bunch of trolls, assholes, and simply useless posts, except for one that claims the code has been shown not to do anything on a dedicated security site [securitylab.ru]. The Skype article on the front page doesn't contain any additional information. The attack looks almost too simple to work, but I wasn't able to find any strong evidence that would suggest that it doesn't, at least not with a few quick searches.
Re:The code snippet seems to be wrong (Score:4, Informative)
coincidence? (Score:5, Informative)
Re:Look (Score:3, Informative)
Re:The code snippet seems to be wrong (Score:5, Informative)
Just watch the Skype blogs... (Score:3, Informative)
Re:They hired DoS specialists against their own us (Score:3, Informative)
Why don't you switch to an open protocol which might not be so flakey?
If anyone has had good experiences with alternatives to Skype, that are multi-platform and support voice conferencing of 4-8 people, please let me know!
Set up a CallWeaver server. I use CallWeaver as my server and Ekiga as my softphone and it works fine (also a UTStarCom F1000G as a WiFi phone, but I have all sorts of problems with that owing to UTStarCom's flakey firmware which they won't fix). At my old job we found that SJPhone and X-Lite were reasonable alternatives to Ekiga for the Windows users (although there is a Windows version of Ekiga but my experience is that it's not entirely stable).
You can also use one of the many SIP/PSTN gateways, such as VoIPUser, to gateway calls in from the PSTN if not everyone is able to use VoIP.
Re:The code snippet seems to be wrong (Score:4, Informative)
Re:Skype and Patriot act maybe not hackers? (Score:3, Informative)