Embed Size (px)
Citation preview
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 1/23
IntroductionSkype analysis
Enforcing anti-Skype policies
Skype uncoveredSecurity study of Skype
Desclaux Fabrice1
1EADS CCR/STI/C
Desclaux Fabrice Skype uncovered
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 2/23
IntroductionSkype analysis
Enforcing anti-Skype policiesShould we be afraid of Skype ?
1 IntroductionShould we be afraid of Skype ?
2 Skype analysis
BinaryNetwork - ProtocolSkype Authentication
3
Enforcing anti-Skype policiesSkype detection
Desclaux Fabrice Skype uncovered
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 3/23
IntroductionSkype analysis
Enforcing anti-Skype policiesShould we be afraid of Skype ?
Quick overview of Skype
End-user view
Perfect VoIP software with good quality sound
Ease of use and working everywhere and with every OS
Network administrator view
Skype bypasses Firewalls, Nat, Proxies
It uses P2P technologies
Skype traffic cannot be isolated and is suspiciousIn a nutshell, the perfect backdoor
Desclaux Fabrice Skype uncovered
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 4/23
IntroductionSkype analysis
Enforcing anti-Skype policiesShould we be afraid of Skype ?
Why is Skype seen so suspicious ?
The Binary
Big size (about 12Mo)
strings doesn’t reveal interesting things
Few functions in the binary import table
The binary doesn’t want to launch if the Soft-ice debugger is present
The network
Protocol is proprietary and not obvious to observe
The number of boxes contacted by a client is very important
Conclusion
=⇒ Skype is a total black box.
Desclaux Fabrice Skype uncovered
I t d ti Bi
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 5/23
IntroductionSkype analysis
Enforcing anti-Skype policies
BinaryNetwork - ProtocolSkype Authentication
1 IntroductionShould we be afraid of Skype ?
2 Skype analysis
BinaryNetwork - ProtocolSkype Authentication
3
Enforcing anti-Skype policiesSkype detection
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 6/23
IntroductionSkype analysis
Enforcing anti-Skype policies
BinaryNetwork - ProtocolSkype Authentication
Binary analysis : Encryption
Encryption layers
Some parts of the binary are xored by a hard-coded key in the code
In memory, Skype is fully decrypted
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 7/23
IntroductionSkype analysis
Enforcing anti-Skype policies
BinaryNetwork - ProtocolSkype Authentication
Binary protection : Anti debuggers
Anti Softice
Some tests are done in order to detect the Softice debugger
First tests are easy to detect
The others are hidden in the binary
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 8/23
IntroductionSkype analysis
Enforcing anti-Skype policies
BinaryNetwork - ProtocolSkype Authentication
Binary protection : Anti debuggers
ExampleFirst Softice test
mov eax , o f f s e t s t r S i w v i d ; " \ \\ \ . \ \ S i w vi d "
c a l l t e s t d r i v e rt e s t a l , a l
Example
Hidden test : It checks if Softice is not in the Driver list.
c a l l E n u m D e v i c e D r i v e r s. . .c a l l G etD eviceD riverB a seN a meA
. . .cmp eax , ’ntic’ j n z n e x tcmp ebx , ’e.sy’
j n z n e x tcmp ecx , ’s\x00\x00\x00’ j n z n e x t
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 9/23
IntroductionSkype analysis
Enforcing anti-Skype policies
BinaryNetwork - ProtocolSkype Authentication
Binary protection : Import functions
Hidden importsIn a common binary, imported libraries and functions are describedin a structure
In Skype only some functions are present
The other part is dynamically loaded after decryption
=⇒This prevent disassemblers from watching interesting functions
Example
Libraries used in hidden imports : Number of total hidden imports :
KERNEL32.dllWINMM.dllWS2 32.dll 169/843RPCRT4.dll...
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 10/23
Skype analysisEnforcing anti-Skype policies
yNetwork - ProtocolSkype Authentication
Binary analysis : Integrity
Multiple checksums
Skype checks its own integrity by implementing thousands of codecheckers. If a software breakpoint is installed, or a modification is done inthe binary, Skype will stop/crash randomly.
Desclaux Fabrice Skype uncovered
Introduction Binary
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 11/23
Skype analysisEnforcing anti-Skype policies
Network - ProtocolSkype Authentication
Binary analysis : Obfuscation
Code obfuscation
Some parts of the binary are obfuscated. This may be used in orderto avoid Skype light remakes
The next code represents a code checker that is generated to avoidbeing detected by IDA
Pointers are calculated, junk code is inserted in the real code
Desclaux Fabrice Skype uncovered
IntroductionSk l i
BinaryN k P l
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 12/23
Skype analysisEnforcing anti-Skype policies
Network - ProtocolSkype Authentication
s t a r t :x o r e d i , e d i
add e d i , Ox688E5Cmov eax , Ox320E83x o r eax , Ox1C4C4mov ebx , e a xadd ebx , OxFFCC5AFD
l o o p s t a r t :mov ecx , [ e d i+Ox10 ] jmp l b l 1
db Ox19l b l 1 :su b eax , e c xsu b e d i , 1dec ebx j n z l o o p s t a r t jmp l b l 2db Ox73
l b l 2 : jmp l b l 3dd OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797Adb Ox61 , OxBD
l b l 3 :su b eax , Ox4C49F346
Desclaux Fabrice Skype uncovered
IntroductionSk l i
BinaryN t k P t l
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 13/23
Skype analysisEnforcing anti-Skype policies
Network - ProtocolSkype Authentication
1 IntroductionShould we be afraid of Skype ?
2 Skype analysis
BinaryNetwork - ProtocolSkype Authentication
3 Enforcing anti-Skype policiesSkype detection
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 14/23
Skype analysisEnforcing anti-Skype policies
Network - ProtocolSkype Authentication
Protocol analysis
Indication PacketsMost packets are compounded in two parts :
A clear header
A ciphered payload. The payload is ciphered with a RC4 stream
Signalling Packets
The RC4 is only used to obfuscate the packet payload
That’s why a simple tcpdump doesn’t reveal interesting things
RC4 key can be recovered from the packet (UDP)
VoIP Packets
This encryption is different. Skype uses AES and only the sender/receivercan decrypt them. This is not a simple obfuscation.
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 15/23
Skype analysisEnforcing anti-Skype policies
Network - ProtocolSkype Authentication
Packet dissection
IPversion 4L
45
ihl 5L
00
tos 0x0
00 49
len 73
24 48
id 9288flags
00 00
frag 0L
80
ttl 128
11
proto UDP
46 2d
chksum 0x462d
ac 10 0d 0d
src 172.16.13.13
5 4 1 e c 2 f 3
dst 84.30.194.243options ”
UDP
9f e8
sport 40936
08 5e
dport 2142
00 35
len 53
18 cd
chksum 0x18cd
Skype SoF
18 e9
id 0x18e9
02
func 0x2
Skype Crypted Data
b5
e0 6d 9d
iv 0xB5E06D9DL
8e 15 45 b5
crc32 0x8E1545B5L
53 7 b b 5 9 9 0 8 61 9 a b e 8 e
e 1 4 2 8 3 b b 4 4 a 5 e 4 f d 7 5 b 1 f 2 e 3 f c a 9 9b d c
e b 6 0 a 4 e 4 00 5 6 7 4 c d 4 1
crypted ’S..xb5.x99.x08a.x[... ]
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork - Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 16/23
Skype analysisEnforcing anti-Skype policies
Network ProtocolSkype Authentication
UDP packet deciphering
The RC4 key is generated using src/dst IP plus packet ID.
The clear payload is composed by objects containers, in which dataare stored.
Those data will be received by an object manager.
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork - Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 17/23
S ype a a ys sEnforcing anti-Skype policies
et o otocoSkype Authentication
1 IntroductionShould we be afraid of Skype ?
2 Skype analysis
BinaryNetwork - ProtocolSkype Authentication
3 Enforcing anti-Skype policiesSkype detection
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork - Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 18/23
yp yEnforcing anti-Skype policies Skype Authentication
Client authentication
Authority public key
13 trusted moduli (RSA). Size is between 1536 and 2048 bits.
Client public key
Each client generates its private/public key (RSA 1024 bits) at login
time. It’s a session RSA keyA secret is shared between clients and the authority : the hashedpassword
Login mechanism
The client generates a session keyEncrypts the shared secret with it
Then encrypts the session key with RSA (using a trusted modulus)
If the authority passes the test, it signs the couple login/public keyand sends it to Supernodes
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
BinaryNetwork - Protocol
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 19/23
Enforcing anti-Skype policies Skype Authentication
Client authentication
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
E f i i Sk li iSkype detection
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 20/23
Enforcing anti-Skype policies
1 IntroductionShould we be afraid of Skype ?
2 Skype analysis
BinaryNetwork - ProtocolSkype Authentication
3 Enforcing anti-Skype policiesSkype detection
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
E f i ti Sk li iSkype detection
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 21/23
Enforcing anti-Skype policies
Skype detection
TCP Skype packet detection
When a TCP session is established :
Each machine sends its seed key to the other
This seed will be used to generate a continues RC4 stream
Except for the two first packets
=⇒This can be used to detect Skype connection by deciphering TCPpacket without using internal decryption mechanism.
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
Enforcing anti Skype policiesSkype detection
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 22/23
Enforcing anti-Skype policies
Skype TCP packet detection
Desclaux Fabrice Skype uncovered
IntroductionSkype analysis
Enforcing anti Skype policiesSkype detection
8/8/2019 EADS-CCR Fabrice Skype
http://slidepdf.com/reader/full/eads-ccr-fabrice-skype 23/23
Enforcing anti-Skype policies
Conclusion
Proprietary protocol
Proprietary and obfuscated protocols don’t prevent flaws
It can only slow down the exploitation of it
Worse, it may protect a 0-day
http://seclists.org/lists/fulldisclosure/2005/Oct/0533.html
http://www.skype.com/security/skype-sb-2005-03.html
Questions ?
Desclaux Fabrice Skype uncovered
