Share
## https://sploitus.com/exploit?id=VULNERLAB:2187
Document Title:
===============
Skype v8.x - History Export v7 Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2187
Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/08/11/skype
MSRC: VULN-007910
Release Date:
=============
2019-11-22
Vulnerability Laboratory ID (VL-ID):
====================================
2187
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Script Code Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Skype is a telecommunications application that specializes in providing video chat and voice calls between computers, tablets,
mobile devices, the Xbox One console, and smartwatches via the Internet. Skype also provides instant messaging services. Users may
transmit text, video, audio and images. Skype allows video conference calls. At the end of 2010, there were over 660 million worldwide
users, with over 300 million estimated active each month as of August 2015. At one point in February 2012, there were 34 million
users concurrently online on Skype.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Skype )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent vulnerability in skype v8.49.0.49 and older versions.
Vulnerability Disclosure Timeline:
==================================
2019-11-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
A persistent script code injection vulnerability has been discovered in the skype v8.49.0.49 software.
Skype has a new export function for the skype v7.x contents and messages. Users are able to export the old logs
to generate a html file inside the browser with the exported content of the main.db file in combination with the
journal file. The content is rendered and generated in the local installed standard browser without much usage
of physical capacity.
In an earlier version of skype a researchers regular skype name was formated as script code payload with iframe.
The payload was saved inside of my old v7.x profile. After the researcher noticed the newst version allows to
export the old logs, he used his profile with the payload in the username to open the export via main.db file.
From the main db file a html file is generated that uses the name and the username of the v7.x entries to display
(old conversations). This name output is displayed without safe encode / parse mechanism for special chars. In the
moment the payload becomes visible the execution takes place though the newst skype version v8.x
Skype itself dumps the conversation content from separate html files generated in the skype-export path of the
system user account. Thus could lead as well to the manipulation of the local files that are not checking the
validity or authority of the contents when transmitting. Also there is not check that those files are not
manipulated at all including executable java-script code and html elements. Normally a check ensures that the
generated files of the export function does not contain malformed executable codes. The generated files itself
should be checked on side of the software to approve for specific manipulation attempts locally.
Finally the issue allows a remote attacker to send with skype v7.x messages as html or js script code that allows
to transmit for example a messages export script, redirect to malicious sources, malware downloader or manipulated
the exported messages itself. Then the attacker only waits, until the targeted user exports the file from the main.db
and opens it unrestricted in the web-browser to execute. The same case of scenario is possible when the account is
already updated to skype version v8.49.0.49 and older from skype v7 containing the already send message by the attacker.
The vulnerability can be exploited by remote attackers with local low user interaction of a skype user account.
The vulnerability has been tested and verified from microsoft skype v7.x up to client version v8.49.0.49.
Exploitation of the vulnerability results in persistent manipulation of the exported html file, external malicious
redirect, download of malicious sources, phishing attacks (messages/crdentials) or cross site scripting attacks.
Vulnerable Client(s):
[+] Skype v8.49.0.49 and older v8.x versions
Vulnerable Module(s):
[+] History Export
Affected File(s):
[+] index.html (Archived Conversations)
[+] main.db
Attacker Client(s):
[+] Skype v7.x (Creation of Profile)
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ... (Local PoC)
1. Open in a first step the skype 7.x version
2. Change in a second step the visible name to a test payload (script code)
Note: <a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>
3. Save the name and now upgrade to version v8.x
4. Open your skype with the upgraded installation from v7.x to the newst skype v8.x
5. Move to the settings and open the messages tab
6. Choose the History Export Function for Skype v7.x
7. Generate the file via main.db of skype
8. The standard browser opens automatically with the generated archived conversations of skype v7.x html file
9. The injected script code executes in the moment the content loads in the html template
10. Successful reproduce of the vulnerability!
Manual steps to reproduce the vulnerability ... (Remote PoC)
1. Open in a first step the skype 7.x version
2. Send a script code text message to the target test account
Note: Using a simple iframe, img with source and on element
Payload: <a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>
3. Wait until the target user account exorts the old message content locally and opens the file
Note: The malicious interaction takes place when he opens the exact malformed message-body content
4. Successful reproduce of the vulnerability!
PoC: Example
<a href=".[USERNAME][GENERATED FROM ARCHIVE FILE].html">>"%20[SPLIT]""><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>
--- Session Logs (GET) ---
https://www.vuln-lab.com/
Host: www.vuln-lab.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
--- PoC Source (Archived Conversations 7.x - main.db - Listing)---
<!DOCTYPE html>
<html>
<head>
<title>Archived conversations</title>
<meta charset="utf-8">
</head>
<body>
<div class="header">
<h1 class="conversations">Archived conversations</h1>
<ul class="exported-accounts" id="accounts">
<li class="account">
<a href=".rm.01xindex.html">>"%20""><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe> (rm.01x)</a>
</li>
</ul>
</body>
</html>
--- PoC Source (Archived Conversations 7.x - main.db - Conversation)---
<li class="message" id="XXXXX">
<div>
<span class="author"><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>
<span class="timestamp">11.7.2018 15:27:57</span>
</div>
<div class="message-body"><div class="uri-object">This is a Skype Archive Conversation Message of main.db ;)</div></div>
</li>
<li class="message" id="XXXXX" >
<div>
<span class="author"><iframe src=https://www.vuln-lab.com onload=alert("TEST")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>
<span class="timestamp">11.7.2018 15:28:11</span>
</div>
<div class="message-body">kommt anscheinend durch somhow</div>
</li></ul>
</body>
</html>
</iframe></div></div></li>
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by escaping the output location with the name, author & message-body
variables correctly to prevent malicious script code execution attacks like cross site scripting, extern
redirect, download of malware from external sources or persistent manipulation of the affected
export html module.
Note: Upgrade to skype v8.54.0.91 to resolve the issue permanently. The creation of v7 profiles
via client is not anymore possible.
An alternative way would be to delete your local old v7 profile files that can still be imported to ensure.
Security Risk:
==============
The security risk of the persistent script code injection web vulnerability is estimated as medium. The exploitation is
limited to group/multi-user accounts and specific requirements as conditions to successfully exploit.
Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™