Skype Manager Filter Bypass

2016-05-10T00:00:00
ID PACKETSTORM:137010
Type packetstorm
Reporter Karim Rahal
Modified 2016-05-10T00:00:00

Description

                                        
                                            `Document Title:  
===============  
Skype Manager - (Email Change) Filter Bypass Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1672  
  
MSRC Case 32353 TRK:0001002845  
  
  
Release Date:  
=============  
2016-05-09  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1672  
  
  
Common Vulnerability Scoring System:  
====================================  
5.2  
  
  
Product & Service Introduction:  
===============================  
Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur   
Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate   
with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone   
networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged   
via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing.   
Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com.  
  
Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters   
in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia.  
  
Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers   
running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype   
on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage,   
and security concerns.  
  
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability laboratory researcher discovered a hidden function to change unauthorized email accounts of the official Skype Manager web-application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-01-19: Researcher Notification & Coordination (Karim Rahal)  
2016-01-20: Vendor Notification (MSRC - Skype Security Team)  
2016-01-28: Vendor Response/Feedback (MSRC - Skype Security Team)  
2016-05-05: Vendor Fix/Patch #(Microsoft Skype Developer Team)  
2016-05-09: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Microsoft Corporation  
Product: Skype Manager - Online Service (Web-Application) 2016 Q1  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
A filter bypass vulnerability has been discovered in the official Microsoft Skype Manager online service web-application.  
The vulnerability allows to bypass a secure set filter restriction of the web-application to deny unauthorized   
interaction by criminals on account take-over attacks.  
  
Filter bypass is a vulnerability which performs evasion on a certain filter and bypasses it, in this case it was able to bypass   
the filter which didn`t allow a user/attacker to change his email without entering his password etc.. but with this filter bypass  
you can just change ur email simply through being inside the account, you don`t even have to know the account`s password.  
  
This filter bypass is done because there isn`t enough validation/checking inside the API which didn`t check if its his actual email   
or if he can actually change it, in addition, this vulnerability easily allowed Full account Takeover once exploited, simply a   
hacker would hack into an account throgh session but he wouldn`t have full access because he doesn`t have the password, but this   
filter bypass allowed him to change password then send a change password link to the changed email which is his hacking email,   
and then he resets the password and tadaa! he now has full access to the account.  
  
The security risk of the filter bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.2.   
Exploitation of the filter and validation web vulnerability requires a low privileged skype user account with restricted access and low user interaction.   
Successful exploitation of the vulnerability results in an account take-over one malicious interaction.  
  
  
Proof of Concept (PoC):  
=======================  
The vulnerability can be exploited by remote attackers with low privileged skype web-application user account and low user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
Manual steps to reproduce the vulnerability ...  
1. Go to manager.skype.com  
2. Register for a manager company if you haven't already  
3. Go to your user/member's settings of your own account  
4. Go down to Contact details  
5. Right click on your email address >> inspect element  
6. Find the link with <input type="hidden" id="personalEmailHidden" name="personal_email" value=""........  
7. Edit value="" to your new email you want to change to (example: value="karim@karimrahal.com")  
8. Click out of the box and make sure the value was set inside the page via inspect element  
9. Click Save Changes  
10. BamBam! The email has been changed!  
NOTE: An alternative to the inspect element method is tampering the request once clicking save changes and editing the "personal_email" post value inside the post request to the email you want to change to.  
  
  
PoC Video: How Filter Bypass Changed Email  
https://www.youtube.com/watch?v=mDvMCOY4wMc  
  
How This Filter Bypass Lead to full account takeover:  
https://www.youtube.com/watch?v=fiJpqOoYDjs  
  
  
Solution - Fix & Patch:  
=======================  
The bug can be fixed by disallowing the use the hidden function to reset an account without usage of the skype password to confirm.  
  
  
Security Risk:  
==============  
The security risk of the unauthorized email change in the skype manager application is estimated as medium. (CVSS 5.2)   
Changing a Skype users email is leading to a full account takeover finally as far as the conditions do match with the case scenario.  
  
  
Credits & Authors:  
==================  
Karim Rahal [Karim@karimrahal.com / KarimMTV@elitesec.org] - @KarimMTV  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com  
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.  
  
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
  
`