CyberSecurity Researcher Found Stack Buffer Overflow Vulnerability In Microsoft Skype Software

Vulnerability Lab Security researcher Benjamin Kunj Mejri discovered a Stack Buffer Overflow Vulnerability in the official Microsoft Skype v7.2, v7.3.5.103 & v7.3.6 software.

Technical Details & Description:

A remote and local stack buffer overflow vulnerability has been discovered in the official Microsoft Skype v7.2, v7.3.5 & v7.3.6 software client. The security vulnerability allows to crash the software application with an unexpected exception error, to overwrite the active process registers
to execute own malicious codes.

The Skype software is using a dll in case of a copy request on the local system. We place a picture in our clipboard (we take a screenshot in this example), this needs to be copied from a remote desktop system. This can be pasted into the local Skype message box, by the paste function.
Then the picture is taken from the clipboard (which is the RDP remote clipboard content) and successfully copies it into the message box.

The security vulnerability is located in the `clipboard format` function of the skype software. Attackers are able to use a remote computer system with a shared clipboard, to provoke a stack buffer overflow on transmission to Skype. The issue affects the `MSFTEDIT.DLL` dynamic link library of the Windows 8 (x86) operating system. The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers are able to crash the software with one request to overwrite the eip register of the active software process. Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software.

The attacker opens a local computer system connection and establishes a RDP connection to another system. First the attacker enables the clipboard function for the remote session. This is possible by the basic rdp settings in the `Local Devices & Resources settings. Then the attacker moves with a click into the RDP session window and pushes the print key. A screenshot is made of the remote session, that is loaded to the local system cache of the first computer system that the attacker uses. Then the attacker moves back to the local system into the conversation of Skype and copy-paste the screenshot of the clipboard (print) to the message body. A clipboard error occurs because of the unknown format size and the software crashes with several uncaught access violations or unfiltered exceptions for both parties. The software is not terminated and allows to read every dll error by line with offset.

The error and critical crashes are captured by the software internal dev log called gilasterr.log file. gilasterr.log file captures internal information of the software in case of critical errors for the Skype developer teams. During the exploitation process the gilasterr.log file captured the loop crashes and overwrite of the eip register as reference. The active offsets allowed us to define a new address to compromise the targeted local or remote computer system.

In a software update of the v7.2, v7.3.5 & v7.3.6 version of skype, a limitation has been implemented for the clipboard function. Due to the implementation, a misconfiguration was included by the developers. The cut function allows to paste the image in raw format back to the message box. After the limitation was implemented for the pasted image counts and for the byte size of the clipboard, the attacker is still able to exploit the issue. Therefore an attacker uses the developer flaw that should fix the new zero-day vulnerability. The attacker copies the content via remote session of the clipboard via cache, then he uses the cut ability of Skype with the context menu and re-paste the input again. After that the images are getting transferred in raw format as text value of the Skype code [image] by re-pasting them to the message box query, the vulnerability can be triggered again and the limitation of size and count is bypassed.

The successful attack scenario is not limited to manual exploitation only. Attackers can locally prepare the cache and clipboard of a computer system to exploit the connected remote party computer system using Skype.The security risk of the Skype vulnerability is estimated as high with a CVSS (common vulnerability scoring system) count of 7.2. Exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege Skype user account. Successful exploitation of the buffer overflow vulnerability results in system and process compromise by an overwrite of the registers.

Proof of Concept (PoC):

The buffer overflow vulnerability can be exploited by local and remote attackers without user interaction and with low privileged Skype user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability.
1. Install Skype to your windows xp, windows 7 or windows 8 computer system
2. Add a first test contact and use another computer to connect to ip (separate ip and connection)
3. Accept the add request for further communication to both accounts
4. Now, the attacker opens for example a remote desktop session to another system of the first computer for reproduce
Note: Activate in the RDP session the clipboard for copy to share with the local connected computer system
5. Connect via RDP to the new computer system
6. Use the print button to make a screenhot
Note: The data is stored in the cache because of the transmit to the other system
7. Move now back to the regular system without closing the rdp connection
8. Copy the cipboard content inside of the message box
Note: In some cases this already causes the main crash but sometimes the message needs to be delivered to crash on interaction
9. The software crashs and the connected client as well several uncaught and unexpected or unknown errors occur
Note: At that point the attacker is able to overwrite the register of the software process to gain higher privileges
10. Successful reproduce of the buffer overflow vulnerability in the Skype software!

How to Fix and Patch:

The vulnerability can be resolved by a count and size restriction of the clipboard content delivered via a remote system. Improve the path content and disallow to perform a request when the data is not physical located on the transmission computer system. Include a secure exception-handling to prevent uncaught and unexpected error exceptions to followup with a jump to another address. Another solution could be to deactivate the copy clipboard in case the data is requested of another remote system. Thus would deny that an attacker is however able use the clipboard to trick into an overflow.

Immediately update the Skype software core and publish a bulletin to prevent exploitation of the zero-day vulnerability. The impact is not limited to Skype but demonstrated with it. Research on the error to ensure no other software that uses the same way is affected as well.

Vulnerability Disclosure Timeline:

  • 2017-05-16: Researcher Notification & Coordination (Benjamin Kunz Mejri)
  • 2017-05-17: Vendor Notification (Microsoft Security Response Center – MSRC)
  • 2017-05-24: Vendor Response/Feedback (Microsoft Security Response Center – MSRC)
  • 2017-06-08: Vendor Fix/Patch (Microsoft Service Developer Team)
  • 2017-06-25: Security Acknowledgements (Microsoft Security Response Center – MSRC)
  • 2017-06-26: Public Disclosure (Vulnerability Laboratory)

Note: The skype developer team resolved the stack buffer overflow vulnerability in the official skype software client version 7.37.178. Download: Latest Skype Version