Document Title: =============== Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2116 Video: https://www.vulnerability-lab.com/get_content.php?id=2117 MSRC ID: 43520  CRM:0461036906 Acknowledgements: https://technet.microsoft.com/en-us/cc308589 Release Date: ============= 2018-03-27 Vulnerability Laboratory ID (VL-ID): ==================================== 2116 Common Vulnerability Scoring System: ==================================== 4.7 Vulnerability Class: ==================== Denial of Service Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Skype is a telecommunications application software product that specializes in providing video chat and voice calls between computers, tablets, mobile devices, the Xbox One console, and smartwatches via the Internet and to regular telephones. Skype additionally provides instant messaging services. Users may transmit both text and video messages, and may exchange digital documents such as images, text, and video. Skype allows video conference calls. (Copy of the Homepage: https://en.wikipedia.org/wiki/Skype ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a denial of service vulnerability in the official microsoft skype v8.12 and v8.13 mobile software clients for apple ios or google android. Vulnerability Disclosure Timeline: ================================== 2018-02-01: Researcher Notification & Coordination (Security Researcher) 2018-02-03: Vendor Notification (Microsoft Security Response Center) 2018-02-08: Vendor Response/Feedback (Microsoft Security Response Center) 2018-03-20: Vendor Fix/Patch (Microsoft Service Developer Team) 2018-03-25: Vendor Fix/Patch (Security Acknowledgements) 2018-03-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ A remote denial of service vulnerability has been discovered in the official microsoft skype v8.12 and v8.13 mobile software clients for apple ios or google android. The denial of service web vulnerability allows attackers to crash the skype application by malformed message content transmit. The vulnerability is located in the function to convert the size of transferred images when displaying. When transferring an image from the skype windows software client (computer system) to the mobile skype clients (iOS & android), a memory error occurs when adapting the smilie graphics. Attackers can copy the incorrectly formatted smilie by quota from the message, that is sent in broken format with a permanent resize request. The Attackers can now transfer the copied smilie into conversations to crash it with a memory error. When transferring the smilies by quote or by copying, the harmful content can be transferred to other input fields, which then also cause a local memory error on display. The demo video demonstrates how an attacker can use the content locally to crash himself or other Skype clients like Samsung's. The memory error can be used locally and remotely, but it is not possible to overwrite active registers from the process to compromise them permanently. The exploit of the vulnerability leads to crashes, massive sync problems and untreated memory errors in the mobile Skype iOS & Android software client. Skype for windows, linux & macos operating systems are not affected by the issue but must be used to bring the malicious content to the mobile skype client message board. Proof of Concept (PoC): ======================= The vulnerability can be reproduced by local or remote attackers without user interaction and with low privileged skype user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Setup a windows 10 default system and install skype v7.40.0.151 2. Setup a mobile iOS device and install the latest skype v8.12.0.14 & v8.13 3. Now open the windows 10 skype client and add the contact of the mobile device 4. Open the mobile device and confirm the user add request 5. Move back into the windows 10 client and send the mobile skype client 2 kiss smilies for example 6. Close the skype client and reopens the client 7. Now the smilies graphics are glitching inside by a resize of the image (view demo vide) 8. Now the message with the smilies must be quoted or copied and then transfered to any other skype input field were smilies are supported 9. Pasting around 50 of them results in an unexpected memory errors and uncaught exceptions or access violations Note: Tested for Android Samsung and Apple iOS. The resize of the larger image results in a memory corruption 10. Successful reproduce of the vulnerability! PoC Video: Shows the local issue and the remote triggered bug ... https://www.youtube.com/watch?v=2vcdQb98zE0 Solution - Fix & Patch: ======================= Secure memory allocation when resizing emoticons images during rendering in transfers through the skype mobile software client. Microsoft resolved the vulnerability and prepared an updated version v8.17 & v8.18. In both versions the security issue is known as patched. Security Risk: ============== The security risk of the vulnerability in the skype mobile software client for ios and android is estimated as medium (cvss 4.7). Credits & Authors: ================== Benjamin Kunz Mejri [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™