lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c0314ab6-1241-69d7-4852-a79e2b1b33ec@vulnerability-lab.com>
Date: Tue, 27 Mar 2018 16:10:36 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of
 Service Vulnerability

Document Title:
===============
Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2116

Video: https://www.vulnerability-lab.com/get_content.php?id=2117

MSRC ID: 43520  
CRM:0461036906

Acknowledgements: https://technet.microsoft.com/en-us/cc308589


Release Date:
=============
2018-03-27


Vulnerability Laboratory ID (VL-ID):
====================================
2116


Common Vulnerability Scoring System:
====================================
4.7


Vulnerability Class:
====================
Denial of Service


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Skype is a telecommunications application software product that specializes in providing video chat and voice calls 
between computers, tablets, mobile devices, the Xbox One console, and smartwatches via the Internet and to regular 
telephones. Skype additionally provides instant messaging services. Users may transmit both text and video messages, 
and may exchange digital documents such as images, text, and video. Skype allows video conference calls.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Skype )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a denial of service vulnerability in the official microsoft skype 
v8.12 and v8.13 mobile software clients for apple ios or google android.


Vulnerability Disclosure Timeline:
==================================
2018-02-01: Researcher Notification & Coordination (Security Researcher)
2018-02-03: Vendor Notification (Microsoft Security Response Center)
2018-02-08: Vendor Response/Feedback (Microsoft Security Response Center)
2018-03-20: Vendor Fix/Patch (Microsoft Service Developer Team)
2018-03-25: Vendor Fix/Patch (Security Acknowledgements)
2018-03-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Coordinated Disclosure


Technical Details & Description:
================================
A remote denial of service vulnerability has been discovered in the official microsoft skype 
v8.12 and v8.13 mobile software clients for apple ios or google android.
The denial of service web vulnerability allows attackers to crash the skype application by malformed message content transmit.

The vulnerability is located in the function to convert the size of transferred images when displaying. When transferring an image 
from the skype windows software client (computer system) to the mobile skype clients (iOS & android), a memory error occurs when 
adapting the smilie graphics. Attackers can copy the incorrectly formatted smilie by quota from the message, that is sent in broken 
format with a permanent resize request. The Attackers can now transfer the copied smilie into conversations to crash it with a memory 
error. When transferring the smilies by quote or by copying, the harmful content can be transferred to other input fields, which 
then also cause a local memory error on display. The demo video demonstrates how an attacker can use the content locally to crash 
himself or other Skype clients like Samsung's. The memory error can be used locally and remotely, but it is not possible to overwrite 
active registers from the process to compromise them permanently. The exploit of the vulnerability leads to crashes, massive sync 
problems and untreated memory errors in the mobile Skype iOS & Android software client. Skype for windows, linux & macos operating 
systems are not affected by the issue but must be used to bring the malicious content to the mobile skype client message board.


Proof of Concept (PoC):
=======================
The vulnerability can be reproduced by local or remote attackers without user interaction and with low privileged skype user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Setup a windows 10 default system and install skype v7.40.0.151
2. Setup a mobile iOS device and install the latest skype v8.12.0.14 & v8.13
3. Now open the windows 10 skype client and add the contact of the mobile device
4. Open the mobile device and confirm the user add request
5. Move back into the windows 10 client and send the mobile skype client 2 kiss smilies for example
6. Close the skype client and reopens the client
7. Now the smilies graphics are glitching inside by a resize of the image (view demo vide)
8. Now the message with the smilies must be quoted or copied and then transfered to any other skype input field were smilies are supported
9. Pasting around 50 of them results in an unexpected memory errors and uncaught exceptions or access violations
Note: Tested for Android Samsung and Apple iOS. The resize of the larger image results in a memory corruption
10. Successful reproduce of the vulnerability!


PoC Video: Shows the local issue and the remote triggered bug ...
https://www.youtube.com/watch?v=2vcdQb98zE0


Solution - Fix & Patch:
=======================
Secure memory allocation when resizing emoticons images during rendering in transfers through the skype mobile software client.
Microsoft resolved the vulnerability and prepared an updated version v8.17 & v8.18. In both versions the security issue is known as patched.


Security Risk:
==============
The security risk of the vulnerability in the skype mobile software client for ios and android is estimated as medium (cvss 4.7).


Credits & Authors:
==================
Benjamin Kunz Mejri [research@...nerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists