Document Title:
===============
Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2116
Video: https://www.vulnerability-lab.com/get_content.php?id=2117
MSRC ID: 43520
CRM:0461036906
Acknowledgements: https://technet.microsoft.com/en-us/cc308589
Release Date:
=============
2018-03-27
Vulnerability Laboratory ID (VL-ID):
====================================
2116
Common Vulnerability Scoring System:
====================================
4.7
Vulnerability Class:
====================
Denial of Service
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Skype is a telecommunications application software product that specializes in providing video chat and voice calls
between computers, tablets, mobile devices, the Xbox One console, and smartwatches via the Internet and to regular
telephones. Skype additionally provides instant messaging services. Users may transmit both text and video messages,
and may exchange digital documents such as images, text, and video. Skype allows video conference calls.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Skype )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a denial of service vulnerability in the official microsoft skype
v8.12 and v8.13 mobile software clients for apple ios or google android.
Vulnerability Disclosure Timeline:
==================================
2018-02-01: Researcher Notification & Coordination (Security Researcher)
2018-02-03: Vendor Notification (Microsoft Security Response Center)
2018-02-08: Vendor Response/Feedback (Microsoft Security Response Center)
2018-03-20: Vendor Fix/Patch (Microsoft Service Developer Team)
2018-03-25: Vendor Fix/Patch (Security Acknowledgements)
2018-03-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Coordinated Disclosure
Technical Details & Description:
================================
A remote denial of service vulnerability has been discovered in the official microsoft skype
v8.12 and v8.13 mobile software clients for apple ios or google android.
The denial of service web vulnerability allows attackers to crash the skype application by malformed message content transmit.
The vulnerability is located in the function to convert the size of transferred images when displaying. When transferring an image
from the skype windows software client (computer system) to the mobile skype clients (iOS & android), a memory error occurs when
adapting the smilie graphics. Attackers can copy the incorrectly formatted smilie by quota from the message, that is sent in broken
format with a permanent resize request. The Attackers can now transfer the copied smilie into conversations to crash it with a memory
error. When transferring the smilies by quote or by copying, the harmful content can be transferred to other input fields, which
then also cause a local memory error on display. The demo video demonstrates how an attacker can use the content locally to crash
himself or other Skype clients like Samsung's. The memory error can be used locally and remotely, but it is not possible to overwrite
active registers from the process to compromise them permanently. The exploit of the vulnerability leads to crashes, massive sync
problems and untreated memory errors in the mobile Skype iOS & Android software client. Skype for windows, linux & macos operating
systems are not affected by the issue but must be used to bring the malicious content to the mobile skype client message board.
Proof of Concept (PoC):
=======================
The vulnerability can be reproduced by local or remote attackers without user interaction and with low privileged skype user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Setup a windows 10 default system and install skype v7.40.0.151
2. Setup a mobile iOS device and install the latest skype v8.12.0.14 & v8.13
3. Now open the windows 10 skype client and add the contact of the mobile device
4. Open the mobile device and confirm the user add request
5. Move back into the windows 10 client and send the mobile skype client 2 kiss smilies for example
6. Close the skype client and reopens the client
7. Now the smilies graphics are glitching inside by a resize of the image (view demo vide)
8. Now the message with the smilies must be quoted or copied and then transfered to any other skype input field were smilies are supported
9. Pasting around 50 of them results in an unexpected memory errors and uncaught exceptions or access violations
Note: Tested for Android Samsung and Apple iOS. The resize of the larger image results in a memory corruption
10. Successful reproduce of the vulnerability!
PoC Video: Shows the local issue and the remote triggered bug ...
https://www.youtube.com/watch?v=2vcdQb98zE0
Solution - Fix & Patch:
=======================
Secure memory allocation when resizing emoticons images during rendering in transfers through the skype mobile software client.
Microsoft resolved the vulnerability and prepared an updated version v8.17 & v8.18. In both versions the security issue is known as patched.
Security Risk:
==============
The security risk of the vulnerability in the skype mobile software client for ios and android is estimated as medium (cvss 4.7).
Credits & Authors:
==================
Benjamin Kunz Mejri [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™