Thursday 18 October 2018

Porting CVE-2018-8120 to an MSF module

Hi Internet,

#Shortpost
I have added the support of CVE-2018-8120 to MSF module, before porting this to MSF I read through the analysis of the issue.

After reading the blog post of xiaodaozhi I understood CVE-2018-8120 happens because of a null pointer dereference in the win32k kernel module at start this would lead to BSOD in vulnerable systems, however the exploit code was written in such a fashion that would override the function pointer which is present in kernel mode that achieves escalation of privilege to the remote or your local system.

It took me a while to port this to an MSF module also I would like to thank MSF team for there review's done during that time, at last this was successfully ported and landed!

The path for this module will be `exploit/windows/local/ms18_8120_win32k_privsec.rb` view this in action. (Sweeeeeeet!)
 
This module was tested against windows 7 x64 and x86 based systems and windows server 2008 R2 x64. However this vulnerability impacts following software versions or editions which are affected.
Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120



Thank you
Dhiraj
Share:

Saturday 29 September 2018

Telegram anonymity fails in desktop - CVE-2018-17780

Hi Internet,

Summary: Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end user private and public IP address while making calls. This bug was awarded €2000 by Telegram security team. (Sweeet..)
Img Src: https://telegram.org/img/tl_card_synchronize.gif
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options. The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and telegram for windows.

PS: Even telegram for android will also leak your IP address if you have not set "Settings > Privacy and security > Calls > peer-to-peer > nobody" (But Peer-to-Peer settings for call option already exists in telegram for android).

To view this in action in tdesktop:
1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
 

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.
Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your "P2P to Nobody/My contacts", Later CVE-2018-17780 was assign to this vulnerability.


Regards
Share:

Thursday 27 September 2018

Telegram uses SOCKS5 to share user/creds

Hi Internet,

Summary: Telegram is supposedly is a secure messaging application but it uses SOCKS5 to transmit user credential's, neither traffic nor credentials are encrypted in the SOCKS5 protocol, but this is how the SOCKS protocol works (see https://tools.ietf.org/html/rfc1929), SOCKS5 carries passwords in cleartext. Telegram team is aware with this and says its working has intended.
Img Src: https://telegram.org/img/tl_card_open.gif

Product affected: tdesktop 1.3.16 alpha, Browser Info: Firefox 62.0 (64 bit), Tested on: Ubuntu 18.04 LTS x64

Steps to reproduce the issue:
1. Open tdesktop
2. Go to Settings > Advanced Settings > Connection type
3. Open "Proxy Settings" check "Use proxy"
4. Put some random Hostname, Port, Username and Password
5. tdesktop tries to connect it, while it connects click on that line which is made of 3 small spots (On right hand side)
6. Click share, the link gets copied.

Example Link: https://t.me/socks?server=inputzero.io&port=22&user=dhiraj&pass=MystrongPassw0rd 

The link which gets generated have the password in plaintext, SOCKS5 is a transport protocol and by itself it is not encrypted. Requests transmitting such  credentials in plain text are considered as a bad security practice.

However, the URL which gets generated via telegram is in HTTPS but, URI producers should not provide a URI that contains a username or password that is intended to be secret.  URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).

Read this on oss sec-lists. Later CVE-2018-17613 was assigned to this issue.

Regards
Share:

Sunday 16 September 2018

The Secrets of Tez

Hi Internet,

Summary: The Google Pay (Tez) apps leaks end users email address, this issue was marked as WONTFIX by google.
Img Src: https://www.kisspng.com/png-tez-unified-payments-interface-google-apps-701156/preview.html

You might be aware of different technique for extracting email from LinkedIn similarly Tez app allow you to do so.

Steps to reproduce:
1. Open Tez,
2. Click on New,
3. You will see "Google Pay Connections",
4. Click on any one contact.
5. Their respective email address will be displayed.


In this case, I have never had email of "Ajay" I just had his contact saved. However in the similar fashion, I can view email address of  all the people in my contacts if they are on Tez. However it is not necessary to initiate the payment to get his/her email you can simply view it. (If user is already added in contact).

This issue was submitted to google but was marked WONTFIX, google says "Thanks for report! We think the issue might not be severe enough for us to track it as a security bug."

This is not such great bug but, such data can be use in OSINT to perform targeted attack on victim, hope you like the read.

Regards
Share:

Monday 3 September 2018

An untold story of skype by microsoft

Hi Internet,

Summary: It was observed that the skype has a malloc(): memory corruption bug while you share some media/file with someone during a call.

Tested on: Linux zero 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 18.04 LTS)
Product affected: Skype for linux (skypeforlinux_8.27.0.85_amd64.deb)

Steps to reproduce this issue:
1. Open Skype
2. Call anyone
3. During the call try sharing the media or files to the same person
4. The Skype  gets crash.

While on a call with one of my colleague, I tried sharing a file which froze my skype and then it gets crash. However moving further I tried to debug it with `gdb` and this is what i got.
$ *** Error in `/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896': malloc(): memory corruption: 0x000000000641ff80 ***
======= Backtrace: =========
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb57d6b97e5]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fb57d6c413e]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fb57d6c6184]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(malloc+0x1c)[0x47cc34c]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_malloc+0x19)[0x7fb57ff91719]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x8508d)[0x7fb57ffc708d]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get_data+0x1f)[0x7fb57ffc72ff]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get+0xda)[0x7fb57ffc610a]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0xc873)[0x7fb57314b873]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x10f2e)[0x7fb57314ff2e]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x11dcb)[0x7fb573150dcb]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x15ad8)[0x7fb5824c3ad8]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0x104)[0x7fb5824c5534]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgio-2.0.so.0(g_volume_monitor_get+0x7c)[0x7fb582798ebc]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x25c3d5)[0x7fb583ba53d5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11ce73)[0x7fb583a65e73]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d5a3)[0x7fb57ff8f5a3]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xfc3)[0x7fb57ff90763]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1ae4f1)[0x7fb583af74f1]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11bb65)[0x7fb583a64b65]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d4f1)[0x7fb583a664f1]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d6d7)[0x7fb57ff8f6d7]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xd8e)[0x7fb57ff9052e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1a773e)[0x7fb583af073e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new_valist+0x3b5)[0x7fb5824c51b5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0xf1)[0x7fb5824c5521]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_file_chooser_dialog_new+0x74)[0x7fb583af1294]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x4e3b90b]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN11file_dialog14ShowOpenDialogERKNS_14DialogSettingsERKN4base8CallbackIFvbRKSt6vectorINS3_8FilePathESaIS6_EEELNS3_8internal8CopyModeE1ELNSC_10RepeatModeE1EEE+0x2d)[0x4e3be3d]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN4atom15WebDialogHelper14RunFileChooserEPN7content15RenderFrameHostERKNS1_17FileChooserParamsE+0x33c)[0x4e4d90c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c9b4]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c858]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d86c2f]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x2347525]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x48001eb]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ed9db]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47edcf8]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ee0d1]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47c4159]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47affc0]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfef9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfed9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d65ead]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1e67b93]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1a4c63c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x19e6d0d]
======= Memory map: ========
000dc000-00200000 rw-p 00000000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
00200000-01802000 r--p 00124000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
01802000-04f35000 r-xp 01726000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f35000-04f4b000 rw-p 04e59000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f4b000-05818000 rw-p 00000000 00:00 0 
06322000-0749a000 rw-p 00000000 00:00 0                                  [heap]
af8f00000-af8f80000 rw-p 00000000 00:00 0 
2a231d00000-2a231d80000 rw-p 00000000 00:00 0 
4342f600000-4342f6ab000 rw-p 00000000 00:00 0 
4dab7f00000-4dab800a000 rw-p 00000000 00:00 0 
5e2b1980000-5e2b1a00000 rw-p 00000000 00:00 0 
683f0500000-683f0580000 rw-p 00000000 00:00 0 
74c45800000-74c45880000 rw-p 00000000 00:00 0 
7f95e280000-7f95e300000 rw-p 00000000 00:00 0 
8590f380000-8590f400000 rw-p 00000000 00:00 0 
a95ac180000-a95ac200000 rw-p 00000000 00:00 0 
b464c9b8000-b464c9c0000 rw-p 00000000 00:00 0 
b464c9c0000-b464c9c4000 ---p 00000000 00:00 0 
bf52cd00000-bf52cd80000 rw-p 00000000 00:00 0 
c191e080000-c191e100000 rw-p 00000000 00:00 0 
fe78f400000-fe78f480000 rw-p 00000000 00:00 0 
14c588080000-14c588100000 rw-p 00000000 00:00 0 
16dfa8300000-16dfa8380000 rw-p 00000000 00:00 0 
1b328cb00000-1b328cb80000 rw-p 00000000 00:00 0 
1de101180000-1de101200000 rw-p 00000000 00:00 0 
1e993f000000-1e993f080000 rw-p 00000000 00:00 0 
20c071f00000-20c071f80000 rw-p 00000000 00:00 0 
20c61d680000-20c61d700000 rw-p 00000000 00:00 0 
2240c1900000-2240c19ab000 rw-p 00000000 00:00 0 
22628d700000-22628d780000 rw-p 00000000 00:00 0 
25bf77500000-25bf77580000 rw-p 00000000 00:00 0 
26ce1a280000-26ce1a300000 rw-p 00000000 00:00 0 
26daf9ead000-26daf9f00000 ---p 00000000 00:00 0 
26daf9f00000-26daf9f03000 rw-p 00000000 00:00 0 
26daf9f03000-26daf9f04000 ---p 00000000 00:00 0 
26daf9f04000-26daf9f2d000 rwxp 00000000 00:00 0 
26daf9f2d000-26daf9f80000 ---p 00000000 00:00 0 
26daf9f80000-26daf9f83000 rw-p 00000000 00:00 0 
26daf9f83000-26daf9f84000 ---p 00000000 00:00 0 
26daf9f84000-26daf9fad000 rwxp 00000000 00:00 0 
26daf9fad000-26dafa000000 ---p 00000000 00:00 0 
26dafa000000-26dafa003000 rw-p 00000000 00:00 0 
26dafa003000-26dafa004000 ---p 00000000 00:00 0 
26dafa004000-26dafa02d000 rwxp 00000000 00:00 0 
26dafa02d000-26dafa080000 ---p 00000000 00:00 0 
26dafa080000-26dafa083000 rw-p 00000000 00:00 0 
26dafa083000-26dafa084000 ---p 00000000 00:00 0 
26dafa084000-26dafa0ff000 rwxp 00000000 00:00 0 
26dafa0ff000-26dafa100000 ---p 00000000 00:00 0 
26dafa100000-26dafa103000 rw-p 00000000 00:00 0 
26dafa103000-26dafa104000 ---p 00000000 00:00 0 
26dafa104000-26dafa17f000 rwxp 00000000 00:00 0 
26dafa17f000-26dafa180000 ---p 00000000 00:00 0 
26dafa180000-26dafa183000 rw-p 00000000 00:00 0 
26dafa183000-26dafa184000 ---p 00000000 00:00 0 
26dafa184000-26dafa1ff000 rwxp 00000000 00:00 0 
26dafa1ff000-26dafa200000 ---p 00000000 00:00 0 
26dafa200000-26dafa203000 rw-p 00000000 00:00 0 
26dafa203000-26dafa204000 ---p 00000000 00:00 0 
26dafa204000-26dafa27f000 rwxp 00000000 00:00 0 
26dafa27f000-26db19ead000 ---p 00000000 00:00 0 
2adf28e80000-2adf28f00000 rw-p 00000000 00:00 0 
2b4467900000-2b4467980000 rw-p 00000000 00:00 0 
2bb8adb80000-2bb8adc00000 rw-p 00000000 00:00 0 
2dadb8480000-2dadb8500000 rw-p 00000000 00:00 0 
2fa869080000-2fa869100000 rw-p 00000000 00:00 0 
325d21200000-325d21280000 rw-p 00000000 00:00 0 
3462c4b00000-3462c4b80000 rw-p 00000000 00:00 0 
34a98af80000-34a98b000000 rw-p 00000000 00:00 0 
34efe4300000-34efe4380000 rw-p 00000000 00:00 0 
355999380000-355999400000 rw-p 00000000 00:00 0 
35c8d9680000-35c8d9685000 rw-p 00000000 00:00 0 
36fd03c00000-36fd03c80000 rw-p 00000000 00:00 0 
371ab4200000-371ab4280000 rw-p 00000000 00:00 0 
37e430000000-37e430080000 rw-p 00000000 00:00 0 
37f3b2f00000-37f3b2f80000 rw-p 00000000 00:00 0 
389966a80000-389966b8a000 rw-p 00000000 00:00 0 
3ad500400000-3ad500480000 rw-p 00000000 00:00 0 
3aff91d80000-3aff91de2000 rw-p 00000000 00:00 0 
3b2f0d680000-3b2f0d700000 rw-p 00000000 00:00 0 
3fba22080000-3fba22100000 rw-p 00000000 00:00 0 
7fb4bfffc000-7fb4c3ffd000 rw-s 00000000 00:1a 116                        /dev/shm/pulse-shm-3506809168
7fb4c3ffd000-7fb4c7ffe000 rw-s 00000000 00:1a 115                        /dev/shm/pulse-shm-136900218
7fb4c7ffe000-7fb4cbfff000 rw-s 00000000 00:1a 95                         /dev/shm/pulse-shm-1835135660
7fb4cbfff000-7fb4d0000000 rw-s 00000000 00:1a 93                         /dev/shm/pulse-shm-465478744
7fb4d0000000-7fb4d0029000 rw-p 00000000 00:00 0 
7fb4d0029000-7fb4d4000000 ---p 00000000 00:00 0 
7fb4d615e000-7fb4d615f000 ---p 00000000 00:00 0 
7fb4d615f000-7fb4d695f000 rw-p 00000000 00:00 0 
7fb4d695f000-7fb4d6960000 ---p 00000000 00:00 0 
7fb4d6960000-7fb4d7160000 rw-p 00000000 00:00 0 
7fb4d7160000-7fb4d7180000 rw-s 00000000 00:1a 195                        /dev/shm/.org.chromium.Chromium.5U4VoF (deleted)
7fb4d7180000-7fb4d71c0000 rw-s 00000000 00:1a 194                        /dev/shm/.org.chromium.Chromium.RLeLh9 (deleted)
7fb4d71c0000-7fb4d71e0000 rw-s 00000000 00:1a 185                        /dev/shm/.org.chromium.Chromium.vuEDaD (deleted)
7fb4d71e0000-7fb4d7220000 rw-s 00000000 00:1a 124                        /dev/shm/.org.chromium.Chromium.QXky36 (deleted)
7fb4d7260000-7fb4d72a0000 rw-s 00000000 00:1a 190                        /dev/shm/.org.chromium.Chromium.iNwIs3 (deleted)
7fb4d72a0000-7fb4d72e0000 rw-s 00000000 00:1a 189                        /dev/shm/.org.chromium.Chromium.TCc7Dx (deleted)
7fb4d7320000-7fb4d7340000 rw-s 00000000 00:1a 153                        /dev/shm/.org.chromium.Chromium.niC6By (deleted)
7fb4d7340000-7fb4d7380000 rw-s 00000000 00:1a 184                        /dev/shm/.org.chromium.Chromium.Bckk6z (deleted)
7fb4d7380000-7fb4d73c0000 rw-s 00000000 00:1a 183                        /dev/shm/.org.chromium.Chromium.cjU5H8 (deleted)
7fb4d73c0000-7fb4d7400000 rw-s 00000000 00:1a 182                        /dev/shm/.org.chromium.Chromium.T0uSjH (deleted)
7fb4d7400000-7fb4d7440000 rw-s 00000000 00:1a 181                        /dev/shm/.org.chromium.Chromium.QW3FVf (deleted)
7fb4d7440000-7fb4d7480000 rw-s 00000000 00:1a 180                        /dev/shm/.org.chromium.Chromium.VUxuxO (deleted)
7fb4d74c0000-7fb4d7500000 rw-s 00000000 00:1a 178                        /dev/shm/.org.chromium.Chromium.HikaLV (deleted)
7fb4d7640000-7fb4d7680000 rw-s 00000000 00:1a 171                        /dev/shm/.org.chromium.Chromium.4UVv2P (deleted)
7fb4d7680000-7fb4d76c0000 rw-s 00000000 00:1a 170                        /dev/shm/.org.chromium.Chromium.BpeuEo (deleted)
7fb4d7700000-7fb4d7740000 rw-s 00000000 00:1a 168                        /dev/shm/.org.chromium.Chromium.vB2tSv (deleted)
7fb4d7780000-7fb4d77c0000 rw-s 00000000 00:1a 166                        /dev/shm/.org.chromium.Chromium.8lIy6C (deleted)
7fb4d7840000-7fb4d7880000 rw-s 00000000 00:1a 162                        /dev/shm/.org.chromium.Chromium.aN74AR (deleted)
7fb4d7880000-7fb4d78c0000 rw-s 00000000 00:1a 161                        /dev/shm/.org.chromium.Chromium.ExRifq (deleted)
7fb4d78c0000-7fb4d7900000 rw-s 00000000 00:1a 160                        /dev/shm/.org.chromium.Chromium.O1MxTY (deleted)
7fb4d7940000-7fb4d7980000 rw-s 00000000 00:1a 158                        /dev/shm/.org.chromium.Chromium.mxd5b6 (deleted)
7fb4d79c0000-7fb4d7a00000 rw-s 00000000 00:1a 156                        /dev/shm/.org.chromium.Chromium.byaHud (deleted)
7fb4d7a40000-7fb4d7a80000 rw-s 00000000 00:1a 132                        /dev/shm/.org.chromium.Chromium.2FEnNk (deleted)
7fb4d7ac0000-7fb4d7b00000 rw-s 00000000 00:1a 130                        /dev/shm/.org.chromium.Chromium.HFba6r (deleted)
7fb4d7b00000-7fb4d7b40000 rw-s 00000000 00:1a 129                        /dev/shm/.org.chromium.Chromium.tFrAK0 (deleted)
7fb4d7b40000-7fb4d7b80000 rw-s 00000000 00:1a 152                        /dev/shm/.org.chromium.Chromium.4rXuc5 (deleted)
7fb4d7b80000-7fb4d7bc0000 rw-s 00000000 00:1a 151                        /dev/shm/.org.chromium.Chromium.ei9cxE (deleted)
7fb4d7f40000-7fb4d7f80000 rw-s 00000000 00:1a 146                        /dev/shm/.org.chromium.Chromium.hbGEFc (deleted)
7fb4d7fc0000-7fb4d8000000 rw-s 00000000 00:1a 144                        /dev/shm/.org.chromium.Chromium.TaWipl (deleted)
7fb4d8000000-7fb4d803c000 rw-p 00000000 00:00 0 
7fb4d803c000-7fb4dc000000 ---p 00000000 00:00 0 
7fb4dc000000-7fb4dc021000 rw-p 00000000 00:00 0 
7fb4dc021000-7fb4e0000000 ---p 00000000 00:00 0 
7fb4e0000000-7fb4e0022000 rw-p 00000000 00:00 0 
7fb4e0022000-7fb4e4000000 ---p 00000000 00:00 0 
7fb4e4030000-7fb4e4094000 rw-s 00000000 00:1a 111                        /dev/shm/.org.chromium.Chromium.7I5ZtW (deleted)
7fb4e4094000-7fb4e40f4000 rw-s 00000000 00:1a 100                        /dev/shm/.org.chromium.Chromium.L6QAhS (deleted)
7fb4e40f4000-7fb4e4154000 rw-s 00000000 00:1a 91                         /dev/shm/.org.chromium.Chromium.Sf8WzY (deleted)
7fb4e4154000-7fb4e4155000 ---p 00000000 00:00 0 
7fb4e4155000-7fb4e4955000 rw-p 00000000 00:00 0 
7fb4e4995000-7fb4e49d5000 rw-s 00000000 00:1a 137                        /dev/shm/.org.chromium.Chromium.Hx0IZk (deleted)
7fb4e49d5000-7fb4e637d000 r-xp 00000000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e637d000-7fb4e657c000 ---p 019a8000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657c000-7fb4e657d000 r--p 019a7000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657d000-7fb4e657e000 rw-p 019a8000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657e000-7fb4e6721000 r-xp 00000000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6721000-7fb4e6920000 ---p 001a3000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6920000-7fb4e6933000 r--p 001a2000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6933000-7fb4e6934000 rw-p 001b5000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6934000-7fb4e6935000 rw-p 00000000 00:00 0 
7fb4e6935000-7fb4e6bc7000 r-xp 00000000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6bc7000-7fb4e6dc6000 ---p 00292000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dc6000-7fb4e6dd5000 r--p 00291000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd5000-7fb4e6dd6000 rw-p 002a0000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd6000-7fb4e6e1b000 r-xp 00000000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e6e1b000-7fb4e701a000 ---p 00045000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701a000-7fb4e701d000 r--p 00044000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701d000-7fb4e701e000 rw-p 00047000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701e000-7fb4e7057000 r-xp 00000000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7057000-7fb4e7257000 ---p 00039000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7257000-7fb4e7258000 r--p 00039000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7258000-7fb4e7259000 rw-p 0003a000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7259000-7fb4e72f6000 r-xp 00000000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e72f6000-7fb4e74f6000 ---p 0009d000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74f6000-7fb4e74fa000 r--p 0009d000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fa000-7fb4e74fc000 rw-p 000a1000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fc000-7fb4e74fd000 rw-p 00000000 00:00 0 
7fb4e74fd000-7fb4e74fe000 ---p 00000000 00:00 0 
7fb4e74fe000-7fb4e7cfe000 rw-p 00000000 00:00 0 
7fb4e7cfe000-7fb4e7dc3000 r-xp 00000000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7dc3000-7fb4e7fc2000 ---p 000c5000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fc2000-7fb4e7fcb000 rw-p 000c4000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fcb000-7fb4e7fdf000 rw-p 00000000 00:00 0 
7fb4e7fdf000-7fb4e7fff000 rw-p 00101000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fff000-7fb4ec000000 rw-s 00000000 00:1a 12                         /dev/shm/pulse-shm-2958556533
7fb4ec000000-7fb4ec021000 rw-p 00000000 00:00 0 
7fb4ec021000-7fb4f0000000 ---p 00000000 00:00 0 
7fb4f002d000-7fb4f0091000 rw-s 00000000 00:1a 90                         /dev/shm/.org.chromium.Chromium.JPBrMl (deleted)
7fb4f0091000-7fb4f00d1000 rw-s 00000000 00:1a 134                        /dev/shm/.org.chromium.Chromium.ctJK62 (deleted)
7fb4f00f1000-7fb4f0151000 rw-s 00000000 00:1a 89                         /dev/shm/.org.chromium.Chromium.kfsXYI (deleted)
7fb4f0151000-7fb4f01d2000 rw-s 00000000 08:01 1838001                    /home/input0/snap/skype/common/.config/skypeforlinux/Cache/index
7fb4f01d2000-7fb4f01d3000 ---p 00000000 00:00 0 
7fb4f01d3000-7fb4f09d3000 rw-p 00000000 00:00 0 
7fb4f09d3000-7fb4f0a1f000 r-xp 00000000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0a1f000-7fb4f0c1e000 ---p 0004c000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c1e000-7fb4f0c21000 r--p 0004b000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c21000-7fb4f0c22000 rw-p 0004e000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c22000-7fb4f0c26000 rw-p 00050000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c26000-7fb4f0cba000 r-xp 00000000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0cba000-7fb4f0eb9000 ---p 00094000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eb9000-7fb4f0ec0000 rw-p 00093000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0ec0000-7fb4f0ed3000 rw-p 00000000 00:00 0 
7fb4f0ed3000-7fb4f0eea000 rw-p 000c1000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eea000-7fb4f12eb000 rw-s 00000000 00:1a 112                        /dev/shm/.org.chromium.Chromium.8b0GDI (deleted)
7fb4f12eb000-7fb4f132b000 rw-s 00000000 00:1a 110                        /dev/shm/.org.chromium.Chromium.wo010t (deleted)
7fb4f136b000-7fb4f13ab000 rw-s 00000000 00:1a 108                        /dev/shm/.org.chromium.Chromium.4MWzbK (deleted)
7fb4f13ab000-7fb4f13eb000 rw-s 00000000 00:1a 107                        /dev/shm/.org.chromium.Chromium.PCNSgn (deleted)
7fb4f13eb000-7fb4f142b000 rw-s 00000000 00:1a 106                        /dev/shm/.org.chromium.Chromium.UUZcm0 (deleted)
7fb4f146b000-7fb4f14ab000 rw-s 00000000 00:1a 104                        /dev/shm/.org.chromium.Chromium.MzjVwg (deleted)
7fb4f14bb000-7fb4f14cb000 rw-s 00000000 00:1a 118                        /dev/shm/.org.chromium.Chromium.GgMWqU (deleted)
7fb4f14cb000-7fb4f14eb000 rw-s 00000000 00:1a 109                        /dev/shm/.org.chromium.Chromium.CbpRGw (deleted)
7fb4f14eb000-7fb4f152b000 rw-s 00000000 00:1a 38                         /dev/shm/.org.chromium.Chromium.keWIHw (deleted)
7fb4f152b000-7fb4f156b000 rw-s 00000000 00:1a 102                        /dev/shm/.org.chromium.Chromium.9HJ9M9 (deleted)
7fb4f1577000-7fb4f1587000 rw-s 00000000 00:1a 113                        /dev/shm/.org.chromium.Chromium.UPK1Ee (deleted)
7fb4f1587000-7fb4f15eb000 rw-s 00000000 00:1a 34                         /dev/shm/.org.chromium.Chromium.leYub6 (deleted)
7fb4f15eb000-7fb4f162b000 rw-s 00000000 00:1a 97                         /dev/shm/.org.chromium.Chromium.6IeB32 (deleted)
7fb4f162b000-7fb4f1a2c000 rw-s 00000000 00:1a 85                         /dev/shm/.org.chromium.Chromium.6d3WFD (deleted)
7fb4f1a2c000-7fb4f1a6c000 rw-s 00000000 00:1a 83                         /dev/shm/.org.chromium.Chromium.IjR5gj (deleted)
7fb4f1a6c000-7fb4f1aac000 rw-s 00000000 00:1a 88                         /dev/shm/.org.chromium.Chromium.cG4AwK (deleted)
7fb4f1aac000-7fb4f1aec000 rw-s 00000000 00:1a 77                         /dev/shm/.org.chromium.Chromium.StnttE (deleted)
7fb4f1aec000-7fb4f1b2c000 rw-s 00000000 00:1a 71                         /dev/shm/.org.chromium.Chromium.xRFG4j (deleted)
7fb4f1b2c000-7fb4f1b2d000 ---p 00000000 00:00 0 
7fb4f1b2d000-7fb4f25f5000 rw-p 00000000 00:00 0 
7fb4f25f5000-7fb4f25f6000 ---p 00000000 00:00 0 
7fb4f25f6000-7fb4f2df6000 rw-p 00000000 00:00 0 
7fb4f2df6000-7fb4f2dfb000 r-xp 00000000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2dfb000-7fb4f2ffb000 ---p 00005000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffb000-7fb4f2ffc000 r--p 00005000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffc000-7fb4f2ffd000 rw-p 00006000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffd000-7fb4f2ffe000 ---p 00000000 00:00 0 
7fb4f2ffe000-7fb4f37fe000 rw-p 00000000 00:00 0 
7fb4f37fe000-7fb4f37ff000 ---p 00000000 00:00 0 
7fb4f37ff000-7fb4f3fff000 rw-p 00000000 00:00 0 
7fb4f3fff000-7fb4f8000000 rw-s 00000000 00:1a 7                          /dev/shm/pulse-shm-796608596
7fb4f8000000-7fb4f8083000 rw-p 00000000 00:00 0 
7fb4f8083000-7fb4fc000000 ---p 00000000 00:00 0 
7fb4fc000000-7fb4fc021000 rw-p 00000000 00:00 0 
7fb4fc021000-7fb500000000 ---p 00000000 00:00 0 
7fb500000000-7fb500021000 rw-p 00000000 00:00 0 
7fb500021000-7fb504000000 ---p 00000000 00:00 0 
7fb504000000-7fb504021000 rw-p 00000000 00:00 0 
7fb504021000-7fb508000000 ---p 00000000 00:00 0 
7fb508000000-7fb508021000 rw-p 00000000 00:00 0 
7fb508021000-7fb50c000000 ---p 00000000 00:00 0 
7fb50c000000-7fb50c30a000 rw-p 00000000 00:00 0 
7fb50c30a000-7fb510000000 ---p 00000000 00:00 0 
7fb510000000-7fb510028000 rw-p 00000000 00:00 0 
7fb510028000-7fb514000000 ---p 00000000 00:00 0 
7fb514000000-7fb514008000 rw-s 00000000 00:1a 187                        /dev/shm/.org.chromium.Chromium.wp000v (deleted)
7fb514008000-7fb514048000 rw-s 00000000 00:1a 68                         /dev/shm/.org.chromium.Chromium.kV2UFZ (deleted)
7fb514048000-7fb514088000 rw-s 00000000 00:1a 87                         /dev/shm/.org.chromium.Chromium.JUxFl8 (deleted)
7fb514088000-7fb5140c8000 rw-s 00000000 00:1a 65                         /dev/shm/.org.chromium.Chromium.476qSk (deleted)
7fb5140c8000-7fb514108000 rw-s 00000000 00:1a 96                         /dev/shm/.org.chromium.Chromium.1d878F (deleted)
7fb514108000-7fb514148000 rw-s 00000000 00:1a 86                         /dev/shm/.org.chromium.Chromium.IHmLaw (deleted)
7fb514148000-7fb51414a000 r-xp 00000000 08:01 8917743                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7fb51414a000-7fb514349000 ---p 00002000 08:01 8917743                    /lib/x86_64-linux-gnu/libnss_mdns4_mini
$

Cool, so when i read the backtrace, I understood that, this might be a memory corruption in `malloc()`.

So basically, the memory allocator allocates pages of memory at once for use of programs, and it gives you a pointer within them. Since this files which i am trying to share may be larger for skype to handle during the call (PS: I was just sharing an jpg file in this case which was of 800kB). But for skype if a larger program is allocating larger amounts of memory and writing further past the end of your allocated space, then you'll end up attempting to write into unallocated memory and may cause a memory corruption.



Being a fan of responsible disclosure, I submitted this to Microsoft on 8 August 2018, but  MS says "Upon investigation, we have determined that this submission does not meet the bar for security servicing"  🤦

Okay, but I passed on this message to skype team on twitter, and they looked into this!
At last, this was patched on Skype version 8.29.0.41 on Linux.


Regards
Share: