Document Outline

http://www.skype.com/go/getskype-

Skype versions

A large variety of flavours...

Skype v2.0.0.*
PChome-Skype v2.0.1.*

TOM-Skype

v2.0.4.*

livedoor-Skype v2.0.6.*
Buffalo-Skype v2.0.7.*
Daum-Skype v1.4.9.*
HGC-Skype v2.0.10.*
Onet-Skype v2.0.11.*
Jubii-Skype v2.0.12.*
eBay-Skype v2.0.13.*
U3-Skype v1.4.14.*

Maktoob-Skype v2.0.15.*
Chinagate-Skype v2.0.16.*
PacNet-Skype v2.0.17.*
eBay.es-Skype v2.0.18.*
eBay.it-Skype v2.0.19.*
eBay.co.uk-Skype v2.0.20.*
eBay.de-Skype v2.0.21.*
eBay.fr-Skype v2.0.22.*
Bebo-Skype v2.0.24.*
eBay.nl-Skype v2.0.26.*

eBay.cn-Skype

v2.0.29.*

Downloading a particular version

keyword

Example:

http://www.skype.com/go/getskype-ebay-fr

Fabrice DESCLAUX, Kostya KORTCHINSKY

4/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency

First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency
First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency
First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency
First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency
First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Analysis of the login phase
Playing with Skype Traffic
Nice commands
Remote exploit

Arithmetic compression

Example

1] is splited in subintervals for each symbol according to

their frequency
First symbol is

. We subdivise its interval

Then comes

Then

again

Then

Each real enclosed into this small interval can encode

ACAB

0.5

0.625

Reals here encode ACAB

Fabrice DESCLAUX, Kostya KORTCHINSKY

8/74

Playing with Skype Traffic
Nice commands
Remote exploit

Trusted data

Embedded trusted data

In order to recognize Skype authority, the binary has 14 moduli.

Moduli

Two 4096 bits moduli

Nine 2048 bits moduli

Three 1536 bits moduli

RSA moduli example

0xba7463f3. . . c4aa7b63

. . .

0xc095de9e. . . 73df2ea7

Fabrice DESCLAUX, Kostya KORTCHINSKY

10/74

Playing with Skype Traffic
Nice commands
Remote exploit

Finding friends

Embedded data

For the very first connection, IP/PORT are stored in the binary

push

o f f s e t

a L i b C o n n e c t i o n L

; "* Lib / C o n n e c t i o n / L o g i n S e r v e r s "

push

o f f s e t

a 1 9 5 2 1 5 8 1 4 1 3

; "195 . 2 1 5 . 8 . 1 4 1 : 3 3 0 3 3 212 . 7 2 . 4 9 . 1 4 1

mov

ecx

e a x

c a l l

sub 7B8440

Supernodes

A list of 200 supernodes is hardcoded in the binary
It changes in every version and subversion of Skype

Fabrice DESCLAUX, Kostya KORTCHINSKY

11/74

Playing with Skype Traffic
Nice commands
Remote exploit

Phase 1: Key generation

Session parameters

When a client logs in, Skype will generate two 512 bits length
primes

This will give 1024 bits length RSA private/public keys
Those keys represent the user for the time of his connection

Or longer if the user chooses to save them

The client generates a symetric session key

Fabrice DESCLAUX, Kostya KORTCHINSKY

13/74

Playing with Skype Traffic
Nice commands
Remote exploit

Phase 2: Authentication

Key exchange

The client hashes its

nskyper

password

with MD5

The client ciphers its public modulus and the resulting hash
with

The client encrypts

using RSA with one of the trusted

Skype modulus

He sends the encrypted session key

and the ciphered data

to the login server

Fabrice DESCLAUX, Kostya KORTCHINSKY

14/74

Playing with Skype Traffic
Nice commands
Remote exploit

Phase 2: Authentication

\nskyper\n

Password

Skype modulus

RSA 1536 bits

Rand 192 bits

Session key

256 bits key

Shared secret

Hash (SHA160 based)

User modulus

Cipher (AES 256 based)

Encrypted session key

Encrypted shared secret

MD5

Fabrice DESCLAUX, Kostya KORTCHINSKY

15/74

Playing with Skype Traffic
Nice commands
Remote exploit

Phase 3: Running

Session behavior

If the hash of the password matches, the login associated with
the public key is dispatched to the supernodes

This information is signed by the Skype server

Note that private informations are signed by each user

Search for buddy

If you search for a login name, a supernode will send back his
couple

You receive the public key of the desired buddy

The whole packet is signed by a Skype modulus

Fabrice DESCLAUX, Kostya KORTCHINSKY

16/74

Playing with Skype Traffic
Nice commands
Remote exploit

Example of encrypted stuff

Public blob

|4bbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb|

K...............

|bbba4104 0300

7265 63636137 37

000003|

..A...

recca77

...

|00040180 01

d3e860 164f8a1b 0a771e5b

.....

..‘.O...w.[

d74e1548 b96fa8bb 712167c9 0273003b

.N.H.o..q!g..s.;

e201d464 d92d2d13 073a6622 5aae2c28

...d.--..:f"Z.,(

f80640ff 40b9327e 98781fe5 9b6dadfa

..@.@.2~.x...m..

b7fbcbf7 84a4bf66 051682fc 4dadae53

.......f....M..S

3317c5bf 5be61f2f 7458a133 faa61731

3...[../tX.3...1

ed910a83 abc70cd1 cf7c2876 e23f60bc

.........|(v.¿.

667d0533 8ce755a8 c66e463b 6d60b13a

f}.3..U..nF;m‘.:

2d0a107c 29

00048c 849509

26 5fb26626

-..|)

......

&_.f&

4ea8968c 6a7a6d2c 97c78ae4 ed967f

bc|

N...jzm,.......

Fabrice DESCLAUX, Kostya KORTCHINSKY

17/74

Playing with Skype Traffic
Nice commands
Remote exploit

Phase 4: Communicating

Inter client session

Both clients’ public keys are exchanged
Those keys are signed by Skype authority
Each client sends a 8 bytes challenge to sign
Clients are then authenticated and can choose a session key

Some strings to guide you

’ s e s s i o n _ m a n a g e r : [%04 x ] remote party sent wrong i d e n t i t y ’

, 0

’ s e s s i o n _ m a n a g e r : [%04 x ] remote party failed c h a l l e n g e ’

, 0

’ s e s s i o n _ m a n a g e r : [%04 x ] missing c h a l l e n g e r e s p o n s e ’

, 0

’ s e s s i o n _ m a n a g e r : [%04 x ] remote UIC has expired ’

, 0

’ s e s s i o n _ m a n a g e r : [%04 x ] no e n c r y p t i o n key in reply ’

, 0

Fabrice DESCLAUX, Kostya KORTCHINSKY

18/74

Detecting Skype Traffic

TCP traffic

TCP stream begin with a 14 byte long payload

From which we can recover 10 bytes of RC4 stream

RC4 stream is used twice and we know 10 of the 14 first bytes

crypted stream 2

known cleartext

Seed

crypted stream 1

Fabrice DESCLAUX, Kostya KORTCHINSKY

21/74

Detecting Skype Traffic

TCP traffic

TCP stream begin with a 14 byte long payload

From which we can recover 10 bytes of RC4 stream

RC4 stream is used twice and we know 10 of the 14 first bytes

crypted stream 2

known cleartext

Seed

crypted stream 1

RC4 stream (10 bytes)

Fabrice DESCLAUX, Kostya KORTCHINSKY

21/74

Detecting Skype Traffic

TCP traffic

TCP stream begin with a 14 byte long payload

From which we can recover 10 bytes of RC4 stream

RC4 stream is used twice and we know 10 of the 14 first bytes

crypted stream 2

RC4 stream (10 bytes)

known cleartext

Seed

crypted stream 1

Recovered Skype traffic

Fabrice DESCLAUX, Kostya KORTCHINSKY

21/74

Detecting Skype Traffic

UDP traffic

Skype NAck packet characteristics

28+11=39 byte long packet

Function & 0x8f = 7

Bytes 31-34 are (one of) the public IP of the network

Skype SoF

7f 4e

0x7f4e

func

0x77

Skype NAck

52 7c 48 33

src

82.124.72.51

83 b0 86 56

dst

131.176.134.86

Fabrice DESCLAUX, Kostya KORTCHINSKY

22/74

Detecting Skype Traffic

Blocking UDP traffic

On the use of NAck packets. . .

The very first UDP packet received by a Skype client will be a
NAck

This packet is not crypted

This packet is used to set up the obfuscation layer

Skype can’t communicate on UDP without receiving this one

How to block Skype UDP traffic with one rule

i p t a b l e s

−

I FORWARD

−

p udp

−

m l e n g t h

−−

l e n g t h

−

m u32

−−

u32

’27&0

x 8 f

=7 ’

−−

u32

’31=0

x527c4833

’

−

j DROP

Fabrice DESCLAUX, Kostya KORTCHINSKY

23/74

How to generate traffic without the

seed to RC4 key engine

Get the RC4 key for a
given seed for once
Always use this key to
encrypt
Calculate the CRC stuff
Use

seed

⊕

crc

CRC32

\x00\x00

Destination IP

Source IP

seed

RC4 key

(128 bytes)

seed to RC4 key engine

Fabrice DESCLAUX, Kostya KORTCHINSKY

24/74

Compression
Analysis of the login phase
Playing with Skype Traffic

Firewall testing (a.k.a remote scan)

Let’s TCP ping Slashdot

>>>

send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)

/Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,

is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)

/Skype_Obj_INET(id=0x11, ip="slashdot.org", port=80)))

A TCP connect scan from the inside

>>>

send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)

/Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,

is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)

/Skype_Obj_INET(id=0x11, ip="172.16.72.1", port=(0,1024))))

A look for MS SQL from the inside

>>>

send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)

/Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,

is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)

/Skype_Obj_INET(id=0x11, ip="172.16.72.*", port=14 33)))

Fabrice DESCLAUX, Kostya KORTCHINSKY

26/74

Compression
Analysis of the login phase
Playing with Skype Traffic

Firewall testing (a.k.a remote scan)

Me:

Say hello to slashdot.org:80

IP 1.2.3.4.1234 > 172.16.72.19.1146: UDP, length: 24

Skype:

Yes, master

IP 172.16.72.19.1146 > 1.2.3.4.1234: UDP, length: 11

Skype:

Hello! (in UDP)

IP 172.16.72.19.1146 > 66.35.250.151.80: UDP, length: 20

Skype:

connecting to slashdot in TCP

IP 172.16.72.19.3776 > 66.35.250.151.80: S 0:0(0)
IP 66.35.250.151.80 > 172.16.72.19.3776: S 0:1(0) ack 0
IP 172.16.72.19.3776 > 66.35.250.151.80: . ack 1

Skype:

Hello! (in TCP). Do you speak Skype ?

IP 172.16.72.19.3776 > 66.35.250.151.80: P 1:15(14) ack 1
IP 66.35.250.151.80 > 172.16.72.19.3776: . ack 15

Skype:

Mmmh, no. Goodbye.

IP 172.16.72.19.3776 > 66.35.250.151.80: F 15:15(0) ack 1
IP 66.35.250.151.80 > 172.16.72.19.3776: F 1:1(0) ack 16

Fabrice DESCLAUX, Kostya KORTCHINSKY

27/74

Compression
Analysis of the login phase
Playing with Skype Traffic

Skype Network

Supernodes

Each skype client can relay communications to help
unfortunates behind a firewall

When a skype client has a good score (bandwidth+no
firewall+good cpu) he can be promoted to supernode

Slots and blocks

Supernodes are grouped by slots

You usually find 9 or 10 supernodes by slot

You have 8 slots per block

Fabrice DESCLAUX, Kostya KORTCHINSKY

28/74

Compression
Analysis of the login phase
Playing with Skype Traffic

Who are the supernodes ?

Just ask

Each supernode knows almost all other supernodes

This command actually ask for at most 100 supernodes from
slot 201

>>>

sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype_SoF(

id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6, reqid=RandShort(),
val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2)

/Skype_Obj_Num(id=0,val=201)/Skype_Obj_Num(id=5,val=100)))

Nowadays there are

∼

2050 slots

That means

∼

supernodes in the world

Fabrice DESCLAUX, Kostya KORTCHINSKY

29/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Object lists

An object can be a number, a
string, an IP:port, or even another
object list

Each object has an ID

Skype knows which object
corresponds to which command’s
parameter from its ID

Object List

List size

Number

IP:port

List of numbers

String

RSA key

Fabrice DESCLAUX, Kostya KORTCHINSKY

32/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Space allocation

Algorithm

l e a

ecx

, [

e s p

a r g 4

]

push

e c x

c a l l

g e t u i n t

add

esp

, 0

t e s t

a l

j z

p a r s e e n d

mov

edx

, [

e s p

a r g 4

]

l e a

eax

d s

: 0 [

edx

∗

4 ]

push

e a x

mov

[

e s i

+10

] ,

e a x

c a l l

L o c a l A l l o c

mov

ecx

, [

e s p

a r g 4

]

mov

[

e s i

] ,

e a x

Read an unsigned int

NUM

from the packet

This integer is the number
of unsigned int to read next

malloc

NUM

for storing

those data

Fabrice DESCLAUX, Kostya KORTCHINSKY

33/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Data reading

Algorithm

r e a d i n t l o o p

push

ebx

push

e d i

push

ebp

c a l l

g e t u i n t

add

esp

, 0

t e s t

a l

j z

p a r s e e n d

mov

eax

, [

e s p

a r g 4

]

i n c

e s i

add

ebp

, 4

cmp

e s i

e a x

j b

r e a d i n t l o o p

For each

NUM

we read an

unsigned int

And we store it in the array
freshly allocated

Fabrice DESCLAUX, Kostya KORTCHINSKY

34/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Heap overflow

How to exploit that?

NUM

= 0

80000001

The multiplication by 4 will overflow :

80000001

∗

4 = 0

00000004

So Skype will allocate 0x00000004 bytes

But it will read

NUM

integers

⇒

Skype will overflow the heap

Fabrice DESCLAUX, Kostya KORTCHINSKY

35/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Exploiting

Reliability

In theory, exploiting a heap on Windows XP SP2 is not very
stable

But Skype has some Oriented Object parts

It has some structures with functions pointers in the heap

If the allocation of the heap is close from this structure, the
overflow can smash function pointers

And those functions are often called

⇒

Even on XP SP2, the exploit is possible

Fabrice DESCLAUX, Kostya KORTCHINSKY

36/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Remote code execution

Loving OOP

Here is the code responsible for the function pointer call

push

e s i

push

e d i

l e a

ecx

, [

ebx

e a x

]

c a l l

ebp

mov

eax

, [

e c x

]

jmp

dword p t r

[

e a x

+8]

Fabrice DESCLAUX, Kostya KORTCHINSKY

37/74

Compression
Analysis of the login phase
Playing with Skype Traffic
Nice commands

Skype patch

Code

cmp

e d i

, 3

FFFFFFFh

j b e

s h o r t

l o c 7 2 F 5 2 B

push

o f f s e t

a A l i s t S e t s i z e A l

; " a l i s t :: S e t S i z e (): a l l o c size o v e

About the patch

The same piece of code is present about 60 times

Each time a comparison with 0x3FFFFFFF is done

Sometimes, the register is not multiplied by 4, but by 5 or
more

Fabrice DESCLAUX, Kostya KORTCHINSKY

38/74

Chat filtering

Chinese censorship

TOM-Skype and eBay.cn-Skype censor

incoming

text

messages on behalf of the Chinese government
Both versions are shipped with a

ContentFilter.exe

binary

It is a plugin that is verified and loaded automatically by
Skype
Words are matched against an encrypted list of simplified
chinese expressions

Undocumented API

A filtering API is activated in those Skype versions

FILTERING ON

will start a message redirection mechanism

FILTER n OK

FILTER n BLOCK

will allow or block a

message submitted to the filtering plugin

Fabrice DESCLAUX, Kostya KORTCHINSKY

40/74

Hiding behind Skype

AP2AP

An interesting feature of the API is the

Application to Application

protocol, which allows two applications to communicate through
Skype

They benefit from Skype NAT and Proxy bypassing abilities
The data is encrypted by Skype itself
The remote endpoint is only identified by a login and not an
IP address

Uses

Exfiltration
Discrete remote control of the machine
File transfers
Network connections tunneling

Fabrice DESCLAUX, Kostya KORTCHINSKY

42/74

Easter eggs
Debug logs
Plugins
Chinese Blacklist

Randomness

Random number generator (1/2)

Code

u n s i g n e d

i n t 6 4 Skype 8ByteRandom

(

v o i d

)

{

BYTE p b B u f f e r

[ 1 1 2 4 ] ;

SHA1 CTX SHA1Context

;

memcpy

p b B u f f e r

[ 1 6 ] ,

Skype RandomSeed

SHA1 DIGLEN

) ;

G l o b a l M e m o r y S t a t u s

( (

LPMEMORYSTATUS

)(&

p b B u f f e r

[ 3 6 ] ) ) ;

U u i d C r e a t e

( (

UUID

∗

)(&

p b B u f f e r

[ 6 4 ] ) ) ;

G e t C u r s o r P o s

( (

LPPOINT

)(&

p b B u f f e r

[ 7 6 ] ) ) ;

∗

(

DWORD

∗

)(&

p b B u f f e r

[ 8 0 ] ) =

G e t T i c k C o u n t

( ) ;

∗

(

DWORD

∗

)(&

p b B u f f e r

[ 8 4 ] ) =

GetMessageTime

( ) ;

∗

(

DWORD

∗

)(&

p b B u f f e r

[ 8 8 ] ) =

G e t C u r r e n t T h r e a d I d

( ) ;

∗

(

DWORD

∗

)(&

p b B u f f e r

[ 9 2 ] ) =

G e t C u r r e n t P r o c e s s I d

( ) ;

Q u e r y P e r f o r m a n c e C o u n t e r

( (

LARGE INTEGER

∗

)(&

p b B u f f e r

[ 9 6 ] ) ) ;

S H A 1 I n i t

SHA1Context

) ;

SHA1 Update

SHA1Context

, &

p b B u f f e r

[ 0 ] , 1 1 2 4 ) ;

SHA1 Update

SHA1Context

" a d d i t i o n a l salt ... "

, 1 9 ) ;

S H A 1 F i n a l

(

Skype RandomSeed

, &

SHA1Context

) ;

r e t u r n

Skype 8ByteSHA1

p b B u f f e r

[ 0 ] , 1 1 2 4 ) ;

}

Fabrice DESCLAUX, Kostya KORTCHINSKY

45/74

Easter eggs
Debug logs
Plugins
Chinese Blacklist

Randomness

Random number generator (2/2)

Code

s t a t i c

BYTE Skype RandomSeed

[

SHA1 DIGLEN

] ;

u n s i g n e d

i n t 6 4 Skype 8ByteSHA1

(

BYTE

∗

pbData

DWORD dwLength

)

{

SHA1 CTX SHA1Context

;

BYTE pbHash

[

SHA1 DIGLEN

] ;

S H A 1 I n i t

SHA1Context

) ;

SHA1 Update

SHA1Context

, &

pbData

[ 0 ] ,

dwLength

) ;

S H A 1 F i n a l

(

pbHash

, &

SHA1Context

) ;

r e t u r n

∗

(

u n s i g n e d

i n t 6 4

∗

)(&

pbHash

[ 0 ] ) ;

}

My 2 cents

The random number generator implementation is quite strong,
thus giving a good base to all the overlying cryptography
Surprisingly, some parts of the structures used are overwritten

Fabrice DESCLAUX, Kostya KORTCHINSKY

46/74

Eggy

Easter egg in the chat module

Removed in version 2.0.0.103 and later

Skype people do read our slides !

Triggered by a command in a chat window

/eggy <secret>

Decrypts and displays one of two texts given

if (length == 6 && crc32 == 0xb836ac79)

if (length == 14 && crc32 == 0x0407aac1)

Decryption algorithm

f o r

(

= 0 ,

= 0 ;

(

s t r l e n

(

s z I n p u t

)

1 ) ;

++)

{

s z O u t p u t

[

] = ( (

s z I n p u t

[ (

1 ) + 1 ]

4 )

(

s z I n p u t

[

1 ] & 0

x b f

) ) ˆ

szKey

[

s t r l e n

(

szKey

) ] ;

ˆ=

s z O u t p u t

[

] ;

}

Fabrice DESCLAUX, Kostya KORTCHINSKY

48/74

Breaking the egg

Dictionnary and bruteforce attack

Based on length and crc32 values

Decrypted text will allow to settle in the event of collisions

secret found :

prayer

Cryptanalysis

Model the cipher like a usual one time pad with a known key
length

′

⊕

−

with

′

⊕

−

with

′

Carry on with a usual statistical cryptanalysis attack

secret found :

indrek@mare.ee

Fabrice DESCLAUX, Kostya KORTCHINSKY

49/74

Example

Crypted text

MCBEMCK@LF@ADENA@FBAHFND@FBANCKEDCJDDCDEKAFANFEAGFL
@NB@DHCJEBBJELBNDEDOALGMAAFCDFFA@NGIELCLDKGFBFFBCND
HCO@GBD@EFMAFCLAIFFAMGCCLFCAABLCNCKAOGA@CFB@DCNFA@D
DM@CGE@BCAEKBBAIBGAMCF@ACLDCAGEGCHDOGEEBGKAAFC@FCI@

Key

indrek@mare.ee

Decrypted text

The programmer behind the internal workings of Skype chat,
cheers! Indrek Mandre (1979 - still alive?)

Fabrice DESCLAUX, Kostya KORTCHINSKY

50/74

Example

Crypted text

Key

indrek@mare.ee

Decrypted text

The programmer behind the internal workings of Skype chat,
cheers! Indrek Mandre (1979 - still alive?)

Fabrice DESCLAUX, Kostya KORTCHINSKY

50/74

Example

Crypted text

Key

indrek@mare.ee

Decrypted text

The programmer behind the internal workings of Skype chat,
cheers! Indrek Mandre (1979 - still alive?)

Fabrice DESCLAUX, Kostya KORTCHINSKY

50/74

Logs

Debug logs

Skype can generate debug logs if some registry keys are set to
the correct values in

HKCU

Software

Skype

Phone

General

Logging

for encrypted log files

Logging2

for clear text log files

Only the MD5 hashes of the correct values appear in the
Windows binary

Enabling logs

Patch the binary

One needs to get rid of all the integrity checks first

Recover the correct values, which are out of bruteforcing range

Fabrice DESCLAUX, Kostya KORTCHINSKY

52/74

Log encryption

Cipher

Skype generates a 128 bit RC4 key to encrypt logs on the fly

It is formated, then encrypted using a 1024 bit RSA public key
(

e = 3

), and stored at the beginning of the log file

Encrypted data format

’BLOG’

0x00000002

time(NULL)

0x01000000

0x00000000

128 bit RC4 key

...

Fabrice DESCLAUX, Kostya KORTCHINSKY

53/74

RC4 key

Key format

time(NULL)

GetTickCount()

* 1000

Recovering the key

The clear text log file format is known

The log file name already contains the year, month and day
The only things remaining are

The seconds (0 to 59)
The value of

GetTickCount()

(usually

)

If Skype is automatically launched at Windows startup,
recovery is instantaneous

Fabrice DESCLAUX, Kostya KORTCHINSKY

54/74

RC4 key

Key format

time(NULL)

GetTickCount()

* 1000

Recovering the key

The clear text log file format is known

The log file name already contains the year, month and day
The only things remaining are

The seconds (0 to 59)
The value of

GetTickCount()

(usually

)

If Skype is automatically launched at Windows startup,
recovery is instantaneous

Fabrice DESCLAUX, Kostya KORTCHINSKY

54/74

Traces

Trace file

Skype voice engine can generate encrypted trace files if

Logging

and

Logging2

are set

Encryption is much simpler, a basic XOR with a 31 byte key

Decryption algorithm

f o r

(

= 0 ,

= 0 ;

s t r l e n

(

p B u f f e r

) ;

++,

= (

+ 1 ) % 3 1 )

{

i f

(

p B u f f e r

[

] == 1 )

{

p B u f f e r

[

] = ( 1 2 7

−

p B u f f e r

[

+ 1 ] ) ˆ

pXORTable

[

] ;

++;

}

e l s e

i f

(

p B u f f e r

[

] == 2 )

{

p B u f f e r

[

] =

p B u f f e r

[

+ 1 ] ;

++;

}

e l s e

p B u f f e r

[

] =

p B u f f e r

[

] ˆ

pXORTable

[

] ;

}

p B u f f e r

[

] =

’ \0 ’

;

Fabrice DESCLAUX, Kostya KORTCHINSKY

56/74

Some things you can find in logs

Stack dumps

11:35:40 Mutex::Acquire: possible deadlock. Stack dump:
11:35:40 0012fb8c: 00aebaa4 02057030 001e1d63 0012fc54 0074861b 0012fb8c 0012fd8c
11:35:40 0012fbac: 02057030 001e1d63 0012fc00 009eb048 ffffffff 0072fa98 0000003a
11:35:40 0012fbcc: 0012fbe4 03ce2540 007274ad 000000f5 0012fbe4 0043d7e8 00000000
...

Assert failures

10:21:38 Call #2: StartPlayout (1 1)
10:21:38 Call #2: setting audio bandwidth to 2625 pkt 60ms
10:21:38 ASSERTFAILURE(Channel && VE->EngineInited && Recording) in D:\Src\GI\Skyper\VoiceEngine\VoiceEngine.cpp(463)

Fabrice DESCLAUX, Kostya KORTCHINSKY

57/74

Randomness
Easter eggs
Debug logs

Plugins

Chinese Blacklist

Plugin ”signing”

Skype plugins ACL

Skype implements an ACL-like system to allow or disallow
plugins to attach themselves to a runnning instance
A plugin ”signature” is added to the configuration file based
on the user reply to a warning dialog

Example entry

A c c e s s C o n t r o l L i s t

C l i e n t 1

Key1

623

d f 1 2 b 1 3 d 8 d e a 5 e 3 2 e a 1 f 8 4 6 7 f 3 d 2 f 0 4 0 f 6 6 2 d 0 e 6 0 4 0 3 2 a 0 8 c c a 9 c d 2 4 3

Key2

31823

a 7 3 a 6 3 c 3 8 a 2 e 7 e a d 0 a 2 4 0 8 a 7 f 2 a

/ Key2

Key3

263594

/ Key3

Path

Skype

P l u g i n s

p l u g i n m a s t e r

e x e

/ Path

/ C l i e n t 1

/ A c c e s s C o n t r o l L i s t

Fabrice DESCLAUX, Kostya KORTCHINSKY

59/74

Randomness
Easter eggs
Debug logs

Plugins

Chinese Blacklist

”Signing” plugins

Hashes to hashes

The ”signature” mechanism is just about MD5 hashes of the
full path, the binary, and the ACL specified by the user

Nothing much can stop us from writing our own and add it to
the configuration file !

Pseudo-code (

’.’ is concatenation

)

s z S a l t

" Element ’ ry ! p e n g u i N s ; -) S i n g i n g H a r e K r i s h n a _ "

szKey1

S t r

(

Md5

(

S t r

(

Md5

(

Upr

(

s z P a t h

) .

s z S a l t

) ) ) )

S t r

(

Md5

(

S t r

(

Md5

(

p B i n a r y

) ) .

s z S a l t

) )

szKey2

S t r

(

Md5

(

" Per "

Upr

(

s z P a t h

) .

" mit "

) )

szKey3

" 0 "

// Last HWND of the p l u g i n

Fabrice DESCLAUX, Kostya KORTCHINSKY

61/74

Randomness
Easter eggs
Debug logs
Plugins

Chinese Blacklist

Encrypted blacklist

Keyfile

On startup, TOM-Skype

ContentFilter.exe

fetches an

encrypted keywords list file at

http://skypetools.tom.com/agent/keyfile

Each line is an AES encrypted regular expression
A 32 character key is hardcoded in unicode in the binary

Only the 1

32 bytes are used

Extract

[\.*\ \,*\;]*t[\.*\ \,*\;]*e[\.*\ \,*\;]*s[\.*\ \,*\;]*t[\.*\ \,*\;]*i[\.*\ \,*\;]*n[\.*\
[\.*\ \,*\;]*f[\.*\ \,*\;]*u[\.*\ \,*\;]*c[\.*\ \,*\;]*k[\.*\ \,*\;]*
[\.*\ \,*\;]*6[\.*\ \,*\;]*2[\.*\ \,*\;]*7[\.*\ \,*\;]*9[\.*\ \,*\;]*7[\.*\ \,*\;]*0[\.*\

Fabrice DESCLAUX, Kostya KORTCHINSKY

63/74

http://citeseer.ist.psu.edu/boneh00why.html

Session half key exchange

How does it work ?

Each peer generates a 128 bit random nonce, extends it to
1024 bits by repeating it
The extend nonce is encrypted using the RSA public key of
the other peer
Each peer decrypts the received data and computes 128 bits
of the 256 bit AES session key

Some maths

= 1 + 2

128

+ 2

256

+ 2

384

+ 2

512

+ 2

640

+ 2

768

+ 2

896

∗

and

′

mod

, so

′

∗

mod

′′

mod

with

′′

′

∗

−

mod

The ”weakness”

Best known attack is in 2

NSA can probably do better

Fabrice DESCLAUX, Kostya KORTCHINSKY

65/74

Saved credentials

What does Skype save ?

If told to, Skype will save in the

config.xml

file

The login MD5 hash (

username

nskyper

password

)

The generated RSA

private

key

The Skype encrypted corresponding RSA public key

Everything is heavily encrypted, but in a symmetric way :)
The following algorithms are used

CryptProtectData()

CryptUnprotectData()

SHA-1
AES-256
”FastTrack cipher”
1024+ bit RSA

Fabrice DESCLAUX, Kostya KORTCHINSKY

67/74

Decrypting the credentials 1/2

Recovering the AES 256 bit key

Unprotect the token from

HKCU

Software

Skype

ProtectedStorage

Use incremental counter mode SHA-1 to create a 32 byte key
from the token

Decrypting the 1

layer

Use icremental counter mode AES to decrypt the credentials

is now decrypted

Decrypting the 2

layer

Use the login MD5 hash as key for the ”FastTrack cipher”
Decrypt the rest of credentials data

RSA private key

is now decrypted

Fabrice DESCLAUX, Kostya KORTCHINSKY

69/74

Decrypting the credentials 2/2

Decrypting the 3

layer

Use the correct Skype public key to decrypt the remaining
RSA block

RSA public key

is now decrypted

Graphical summary

AES encrypted

data

MD5 hash

"FastTrack cipher"

encrypted data

RSA private key

MD5 hash

RSA encrypted

data

RSA private key

RSA public key

MD5 hash

Fabrice DESCLAUX, Kostya KORTCHINSKY

70/74

Saved credentials usage

Skype password recovery

Dictionnary attack
Bruteforce attack

RSA private key

Sniffed session half key recovery

Decrypt the 128 bit random nonce exchanged
Compute half of the AES-256 session key

Complete sniffed session key recovery

If both RSA private keys are recovered

⇒

Sniffed conversation decryption

Fabrice DESCLAUX, Kostya KORTCHINSKY

71/74

Auditing a software

Auditing a binary in its complete form is much more accurate
that auditing a portion of the sources

Skype, Inc. clearly doesn’t tell you everything

Skype v2.5

The developpers have silently modified the behaviour of Skype
carefully following the BlackHat talk points

Most of the sensitive commands are now TCP only
Some

very

sensitive commands are only accepted when coming

from the currently-connected-to supernode only
Some features have simply been trashed

Fabrice DESCLAUX, Kostya KORTCHINSKY