Vulnerability Development mailing list archives
Re: Skype API Ap2Ap Stream Creation Flaw
From: Stephen Samuel <samnospam () bcgreen com>
Date: Mon, 21 Aug 2006 13:28:46 -0700
Other than the fact that this takes advantage of skype's built-in encryption, I don't see how this is that much different than any other network-capable application being built with backdoors and call-home capability.
vizig0thblitz () gmail com wrote:
An application-to-application stream can be created between two Skype clients without having established normal communications between them and both Skype client's contact lists are empty. With this ability any Skype enabled application can create a convert communication stream to a central server. This can only occur, of course, if the user voluntarily installs the application. Therefore, the main attack vector for this functionality is to create a legitimate Skype-enabled application, have the user install the application, and once the user starts the application make a covert connection to a central server. Once the connection to the central server is made, additional software can be downloaded and installed on the target computer via the application-to-application stream. Scenario Setup: The following will be needed to recreate the scenario: 1.Two computers with Skype installed and two separate Skype Ids that have had no communication between them. 2.A copy of SkypeTracer installed on each computer. Scenario Steps:
. . . . . -- Stephen Samuel +1(778)861-7641 samnospam () bcgreen com http://www.bcgreen.com/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
Current thread:
- Skype API Ap2Ap Stream Creation Flaw vizig0thblitz (Aug 21)
- Re: Skype API Ap2Ap Stream Creation Flaw Stephen Samuel (Aug 21)