Document Title: =============== Skype v8.x - History Export v7 Web Vulnerability Date: ===== 2019-11-22 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2187 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/08/11/skype MSRC: VULN-007910 VL-ID: ===== 2187 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Script Code Injection Introduction: ============= Skype is a telecommunications application that specializes in providing video chat and voice calls between computers, tablets, mobile devices, the Xbox One console, and smartwatches via the Internet. Skype also provides instant messaging services. Users may transmit text, video, audio and images. Skype allows video conference calls. At the end of 2010, there were over 660 million worldwide users, with over 300 million estimated active each month as of August 2015. At one point in February 2012, there were 34 million users concurrently online on Skype. (Copy of the Homepage: https://en.wikipedia.org/wiki/Skype ) Abstract: ========= The vulnerability laboratory core research team discovered a persistent vulnerability in skype v8.49.0.49 and older versions. Report-Timeline: ================ 2019-11-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent script code injection vulnerability has been discovered in the skype v8.49.0.49 software. Skype has a new export function for the skype v7.x contents and messages. Users are able to export the old logs to generate a html file inside the browser with the exported content of the main.db file in combination with the journal file. The content is rendered and generated in the local installed standard browser without much usage of physical capacity. In an earlier version of skype a researchers regular skype name was formated as script code payload with iframe. The payload was saved inside of my old v7.x profile. After the researcher noticed the newst version allows to export the old logs, he used his profile with the payload in the username to open the export via main.db file. From the main db file a html file is generated that uses the name and the username of the v7.x entries to display (old conversations). This name output is displayed without safe encode / parse mechanism for special chars. In the moment the payload becomes visible the execution takes place though the newst skype version v8.x Skype itself dumps the conversation content from separate html files generated in the skype-export path of the system user account. Thus could lead as well to the manipulation of the local files that are not checking the validity or authority of the contents when transmitting. Also there is not check that those files are not manipulated at all including executable java-script code and html elements. Normally a check ensures that the generated files of the export function does not contain malformed executable codes. The generated files itself should be checked on side of the software to approve for specific manipulation attempts locally. Finally the issue allows a remote attacker to send with skype v7.x messages as html or js script code that allows to transmit for example a messages export script, redirect to malicious sources, malware downloader or manipulated the exported messages itself. Then the attacker only waits, until the targeted user exports the file from the main.db and opens it unrestricted in the web-browser to execute. The same case of scenario is possible when the account is already updated to skype version v8.49.0.49 and older from skype v7 containing the already send message by the attacker. The vulnerability can be exploited by remote attackers with local low user interaction of a skype user account. The vulnerability has been tested and verified from microsoft skype v7.x up to client version v8.49.0.49. Exploitation of the vulnerability results in persistent manipulation of the exported html file, external malicious redirect, download of malicious sources, phishing attacks (messages/crdentials) or cross site scripting attacks. Vulnerable Client(s): [+] Skype v8.49.0.49 and older v8.x versions Vulnerable Module(s): [+] History Export Affected File(s): [+] index.html (Archived Conversations) [+] main.db Attacker Client(s): [+] Skype v7.x (Creation of Profile) Proof of Concept: ================= The security vulnerability can be exploited by remote attackers with low user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... (Local PoC) 1. Open in a first step the skype 7.x version 2. Change in a second step the visible name to a test payload (script code) Note: >"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME) 3. Save the name and now upgrade to version v8.x 4. Open your skype with the upgraded installation from v7.x to the newst skype v8.x 5. Move to the settings and open the messages tab 6. Choose the History Export Function for Skype v7.x 7. Generate the file via main.db of skype 8. The standard browser opens automatically with the generated archived conversations of skype v7.x html file 9. The injected script code executes in the moment the content loads in the html template 10. Successful reproduce of the vulnerability! Manual steps to reproduce the vulnerability ... (Remote PoC) 1. Open in a first step the skype 7.x version 2. Send a script code text message to the target test account Note: Using a simple iframe, img with source and on element Payload: >"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME) 3. Wait until the target user account exorts the old message content locally and opens the file Note: The malicious interaction takes place when he opens the exact malformed message-body content 4. Successful reproduce of the vulnerability! PoC: Example >"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME) --- Session Logs (GET) --- https://www.vuln-lab.com/ Host: www.vuln-lab.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 --- PoC Source (Archived Conversations 7.x - main.db - Listing)--- Archived conversations

Archived conversations

--- PoC Source (Archived Conversations 7.x - main.db - Conversation)---
  • [INJECTED SCRIPT CODE TEST PAYLOAD!] 11.7.2018 15:27:57
    This is a Skype Archive Conversation Message of main.db ;)
  • [INJECTED SCRIPT CODE TEST PAYLOAD!] 11.7.2018 15:28:11
    kommt anscheinend durch somhow
    • Solution: ========= The vulnerability can be resolved by escaping the output location with the name, author & message-body variables correctly to prevent malicious script code execution attacks like cross site scripting, extern redirect, download of malware from external sources or persistent manipulation of the affected export html module. Note: Upgrade to skype v8.54.0.91 to resolve the issue permanently. The creation of v7 profiles via client is not anymore possible. An alternative way would be to delete your local old v7 profile files that can still be imported to ensure. Risk: ===== The security risk of the persistent script code injection web vulnerability is estimated as medium. The exploitation is limited to group/multi-user accounts and specific requirements as conditions to successfully exploit. Credits: ======== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™