Microsoft Skype - Login Page API Vulnerability

Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( []
Modified 2012-05-23T00:00:00


                                            Document Title:
Microsoft Skype - Login Page API Vulnerability

References (Source):

MSRC ID: 13166

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010.  The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.

(Copy of the Vendor Homepage:

Abstract Advisory Information:
The Vulnerability Laboratory Researcher Team discovered a new persistent softawre vulnerability in Microsofts Skype v5.11.0.102 (Windows).

Discovery Status:

Affected Product(s):
Microsoft Corp.
Product: Skype - Software Client

Exploitation Technique:

Severity Level:

Technical Details & Description:
A persistent input validation web vulnerability is located in the official Skype VoIP Software v5.11.0.102 (Windows).
The vulnerability allows local attackers to manipulate a configuration app login index file which results in the persistent 
execution of malicious script code through the skype software api context.

The bug is located when processing to perform javascript onload requests directly in the link of the text context. In the 
`index.html` file of the `software C:/ProgramData/Skype/Apps/login` path manipualtions are possible. 

The script code executes through the api of skype and processed out of the software context itself. 

The scenario is a local exploitation method to execute script code or get cookies of saved password sessions (save password) 
when processing to manipulate, infiltrate or observe a voip communication via software. Successful exploitation of the vulnerability 
result in skype software context manipulation with api, cookie stealing in a local system when a session & pass is saved in the client 
and not expired. Exploitation requires local system access or privileged system account access to manipulate the index.html in the 
/login application folder.

Vulnerable Module(s):
				[+] Microsoft Skype

Vulnerable Module(s):
				[+] Login (App)

Vulnerable Parameter(s):
				[+] skypeAccount - highlight & useExistingLiveid

Proof of Concept (PoC):
The local input validation vulnerability can be exploited by local attackers with privileged system access or system account.
For demonstration or reproduce ...

Review: skypeAccount - highlight & useExistingLiveid

<div class="columnCenter"><h3 class="titleSmall" data-translation-key="conflictOptions">What you can do:
</h3><div id="conflictOptionsContainer"><ul id="conflictOptions"><li id="useExistingLiveidOption" class="conflictOption 
liveidOnly" data-translation-key="useExistingLiveid"><a href="index.html" id="useExistingLiveid">[PERSISTENT LOCAL INJECTED SCRIPT CODE!]</a> 
to use the existing merged Skype account <span class="skypeAccount highlight">skype account</span>.</li>

PATH: C:\ProgramData\Skype\Apps\login

Security Risk:
The security risk of the local persistent input validation vulnerability is estimated as medium(-).

Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( []

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   	-			       		-
Contact: 	- 	       		-
Section:	 	- 		       		-
Social:!/vuln_lab 		- 	       		-
Feeds:	-   		-
Programs:  	-	-

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
( or to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]