lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130315143142.GA17117@localhost>
Date: Fri, 15 Mar 2013 15:31:42 +0100
From: Oliver-Tobias Ripka <otr@...kcay.de>
To: Bugtraq <bugtraq@...urityfocus.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Skype Click to Call Update Service local
	privilege escalation

# Vuln Title: Skype Click to Call Update Service local privilege escalation
# Date: 10.12.2012
# Author: otr
# Software Link: http://www.skype.com
# Vendor: Microsoft Corporation
# Version: <= 6.2.0.106
# Tested on: Windows 7, Windows XP
# Type: Privilege Escalation, DLL Hijacking
#
# CVE : MS does not assign CVE for Skype vulnerabilities
# Risk: Medium
# 
# Status: disclosed

Timeline:

2012-12-10 Flaw Discovered
2013-01-07 Vendor contacted
2013-01-08 Vendor response
2013-02-07 Vendor works on fix
2013-02-11 Vendor provides fix
2013-03-15 Public disclosure

Summary:

The default installation of Skype is vulnerable to a local privilege escalation
attack that allows an unprivileged attacker to execute arbitrary code with NT
AUTHORITY/SYSTEM privileges.

Context:

The Click to Call feature installed together with Skype is run as a service with
SYSTEM privileges on Windows systems. An unprivileged user may use the
c2c_service.exe to elevate his privileges on the system. The Skype Click to Call
Update Service is not always installed by the Skype installer. In particular it
is not installed (and no further option is given to do so) if the user cancels
the installation of Skype and then starts it again (even if the Click to Call
feature was selected the first time the installer was run). This may actually
constitute another bug, though not security relevant. However if the user
installs Skype with all the default options in one run the service usually is
present on the system.

Vulnerability:

The application directory of c2c_service.exe is writable by everybody. As
c2c_service.exe loads various shared libraries in an unsafe way it is prone to a
dll search order hijacking vulnerability (the application tries to load required
dlls from its application directory first). Even without order hijacking it is
possible to load a custom dll into the c2c_service.exe as it searches explicitly
in its own application directory for the file msi.dll and loads it if found.

Depending on the Windows version the Skype C2C Service application directory
differs:

On Windows 7:
C:\ProgramData\Skype\Toolbars\Skype C2C Service

On Windows XP:
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service

In order to get successful code execution the attacker needs to force the Click
to Call service to be restarted. This can be archieved by rebooting the system.

Exploitation Steps:

Example using a modified msi.dll. In this case msi.dll simply imports another
dll in order to keep the exploit and the payload seperate.

- Modify original msi.dll to import another dll, e.g. payload.dll
	# wine binject  -i msi.dll -m payload.dll -o msi-import-payload.dll
- Create payload.dll file
	# msfpayload windows/adduser D > payload.dll
- Copy modified msi.dll inside the "Skype C2C Service" directory
- Copy payload.dll inside "Skype C2C Service" directory
- Restart Windows
- payload.dll is run with SYSTEM privileges.

Possible Mitigations and Fixes:

- securely load dlls using modified options for LoadLibraryEx (setting
  LOAD_LIBRARY_SEARCH_SYSTEM32 only in dwFlags) by modifying the program
- disable loading msi.dll from the APPLICATION_DIR
- make the "Skype C2C Service" folder is not world-writable
- run the c2c_services.exe with lower privileges
- uninstall the "Skype Click to Call Update Service"

Fix:

This issue was fixed in the February update of Skype by revoking write
permission to the concerned folder.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ