Skype Click To Call 6.2.0.106 Privilege Escalation

`# Vuln Title: Skype Click to Call Update Service local privilege escalation  
# Date: 10.12.2012  
# Author: otr  
# Software Link: http://www.skype.com  
# Vendor: Microsoft Corporation  
# Version: <= 6.2.0.106  
# Tested on: Windows 7, Windows XP  
# Type: Privilege Escalation, DLL Hijacking  
#  
# CVE : MS does not assign CVE for Skype vulnerabilities  
# Risk: Medium  
#   
# Status: disclosed  
  
Timeline:  
  
2012-12-10 Flaw Discovered  
2013-01-07 Vendor contacted  
2013-01-08 Vendor response  
2013-02-07 Vendor works on fix  
2013-02-11 Vendor provides fix  
2013-03-15 Public disclosure  
  
Summary:  
  
The default installation of Skype is vulnerable to a local privilege escalation  
attack that allows an unprivileged attacker to execute arbitrary code with NT  
AUTHORITY/SYSTEM privileges.  
  
Context:  
  
The Click to Call feature installed together with Skype is run as a service with  
SYSTEM privileges on Windows systems. An unprivileged user may use the  
c2c_service.exe to elevate his privileges on the system. The Skype Click to Call  
Update Service is not always installed by the Skype installer. In particular it  
is not installed (and no further option is given to do so) if the user cancels  
the installation of Skype and then starts it again (even if the Click to Call  
feature was selected the first time the installer was run). This may actually  
constitute another bug, though not security relevant. However if the user  
installs Skype with all the default options in one run the service usually is  
present on the system.  
  
Vulnerability:  
  
The application directory of c2c_service.exe is writable by everybody. As  
c2c_service.exe loads various shared libraries in an unsafe way it is prone to a  
dll search order hijacking vulnerability (the application tries to load required  
dlls from its application directory first). Even without order hijacking it is  
possible to load a custom dll into the c2c_service.exe as it searches explicitly  
in its own application directory for the file msi.dll and loads it if found.  
  
Depending on the Windows version the Skype C2C Service application directory  
differs:  
  
On Windows 7:  
C:\ProgramData\Skype\Toolbars\Skype C2C Service  
  
On Windows XP:  
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service  
  
In order to get successful code execution the attacker needs to force the Click  
to Call service to be restarted. This can be archieved by rebooting the system.  
  
Exploitation Steps:  
  
Example using a modified msi.dll. In this case msi.dll simply imports another  
dll in order to keep the exploit and the payload seperate.  
  
- Modify original msi.dll to import another dll, e.g. payload.dll  
# wine binject -i msi.dll -m payload.dll -o msi-import-payload.dll  
- Create payload.dll file  
# msfpayload windows/adduser D > payload.dll  
- Copy modified msi.dll inside the "Skype C2C Service" directory  
- Copy payload.dll inside "Skype C2C Service" directory  
- Restart Windows  
- payload.dll is run with SYSTEM privileges.  
  
Possible Mitigations and Fixes:  
  
- securely load dlls using modified options for LoadLibraryEx (setting  
LOAD_LIBRARY_SEARCH_SYSTEM32 only in dwFlags) by modifying the program  
- disable loading msi.dll from the APPLICATION_DIR  
- make the "Skype C2C Service" folder is not world-writable  
- run the c2c_services.exe with lower privileges  
- uninstall the "Skype Click to Call Update Service"  
  
Fix:  
  
This issue was fixed in the February update of Skype by revoking write  
permission to the concerned folder.  
`