Skype File URI Security Bypass Code Execution Vulnerability

Idefense has published my advisory about a potential security vulnerability in Skype. Explotation of this issue allows an attacker to execute arbitrary code.

To exploit it, an attacker needs to construct and send to the victim (as a skype chat message) a malicious file: URI. There are two flaws with this advisory. Once of them is related to a case sensitive comparison. Skype has a blacklist of potential dangerous file extensions (.ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js, …) and when a file: URI is sent to a user and the victim clicks on it, this URI is checked to verify if one of the blacklisted extension is used, however this comparison isn’t ignore case.

The other flaw is more dangerous and allows remote code execution. The blacklist of dangerous file extension fails to mention some executable file formats, so it’s easy to execute arbitrary code in the remote computer sending a file: URI which point to a remote executable with this file format.

You can read the Idefense Advisory and the Skype Advisory

Leave a reply

You must be logged in to post a comment.