Vuln Title: Skype Click to Call Update Service local privilege escalation # Date: 10.12.2012 # Author: otr # Software Link: http://www.skype.com # Vendor: Microsoft Corporation # Version: <= 6.2.0.106 # Tested on: Windows 7, Windows XP # Type: Privilege Escalation, DLL Hijacking # # CVE : MS does not assign CVE for Skype vulnerabilities # Risk: Medium # # Status: disclosed Timeline: 2012-12-10 Flaw Discovered 2013-01-07 Vendor contacted 2013-01-08 Vendor response 2013-02-07 Vendor works on fix 2013-02-11 Vendor provides fix 2013-03-15 Public disclosure Summary: The default installation of Skype is vulnerable to a local privilege escalation attack that allows an unprivileged attacker to execute arbitrary code with NT AUTHORITY/SYSTEM privileges. Context: The Click to Call feature installed together with Skype is run as a service with SYSTEM privileges on Windows systems. An unprivileged user may use the c2c_service.exe to elevate his privileges on the system. The Skype Click to Call Update Service is not always installed by the Skype installer. In particular it is not installed (and no further option is given to do so) if the user cancels the installation of Skype and then starts it again (even if the Click to Call feature was selected the first time the installer was run). This may actually constitute another bug, though not security relevant. However if the user installs Skype with all the default options in one run the service usually is present on the system. Vulnerability: The application directory of c2c_service.exe is writable by everybody. As c2c_service.exe loads various shared libraries in an unsafe way it is prone to a dll search order hijacking vulnerability (the application tries to load required dlls from its application directory first). Even without order hijacking it is possible to load a custom dll into the c2c_service.exe as it searches explicitly in its own application directory for the file msi.dll and loads it if found. Depending on the Windows version the Skype C2C Service application directory differs: On Windows 7: C:\ProgramData\Skype\Toolbars\Skype C2C Service On Windows XP: C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service In order to get successful code execution the attacker needs to force the Click to Call service to be restarted. This can be archieved by rebooting the system. Exploitation Steps: Example using a modified msi.dll. In this case msi.dll simply imports another dll in order to keep the exploit and the payload seperate. - Modify original msi.dll to import another dll, e.g. payload.dll # wine binject -i msi.dll -m payload.dll -o msi-import-payload.dll - Create payload.dll file # msfpayload windows/adduser D > payload.dll - Copy modified msi.dll inside the "Skype C2C Service" directory - Copy payload.dll inside "Skype C2C Service" directory - Restart Windows - payload.dll is run with SYSTEM privileges. Possible Mitigations and Fixes: - securely load dlls using modified options for LoadLibraryEx (setting LOAD_LIBRARY_SEARCH_SYSTEM32 only in dwFlags) by modifying the program - disable loading msi.dll from the APPLICATION_DIR - make the "Skype C2C Service" folder is not world-writable - run the c2c_services.exe with lower privileges - uninstall the "Skype Click to Call Update Service" Fix: This issue was fixed in the February update of Skype by revoking write permission to the concerned folder.