[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Skype Manager - (Email Change) Filter Bypass Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Skype Manager - (Email Change) Filter Bypass Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 10 May 2016 11:11:45 +0200
Document Title:
===============
Skype Manager - (Email Change) Filter Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1672

MSRC Case 32353 TRK:0001002845


Release Date:
=============
2016-05-09


Vulnerability Laboratory ID (VL-ID):
====================================
1672


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Skype is a proprietary voice-over-Internet Protocol service and software 
application originally created in 2003 by Swedish entrepreneur 
Niklas Zennström and his Danish partner Janus Friis. It has been owned by 
Microsoft since 2011. The service allows users to communicate 
with peers by voice, video, and instant messaging over the Internet. Phone 
calls may be placed to recipients on the traditional telephone 
networks. Calls to other users within the Skype service are free of charge, 
while calls to landline telephones and mobile phones are charged 
via a debit-based user account system. Skype has also become popular for its 
additional features, including file transfer, and videoconferencing. 
Competitors include SIP and H.323-based services, such as Linphone, as well as 
the Google Talk service, Mumble and Hall.com.

Skype has 663 million registered users as of September 2011. The network is 
operated by Microsoft, which has its Skype division headquarters 
in Luxembourg. Most of the development team and 44% of the overall employees of 
the division are situated in Tallinn and Tartu, Estonia.

Unlike most other VoIP services, Skype is a hybrid peer-to-peer and 
client–server system. It makes use of background processing on computers 
running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) 
reflects this fact. Some network administrators have banned Skype 
on corporate, government, home, and education networks, citing reasons such as 
inappropriate usage of resources, excessive bandwidth usage, 
and security concerns.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a hidden function 
to change unauthorized email accounts of the official Skype Manager 
web-application.


Vulnerability Disclosure Timeline:
==================================
2016-01-19: Researcher Notification & Coordination (Karim Rahal)
2016-01-20: Vendor Notification (MSRC - Skype Security Team)
2016-01-28: Vendor Response/Feedback (MSRC - Skype Security Team)
2016-05-05: Vendor Fix/Patch #(Microsoft Skype Developer Team)
2016-05-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: Skype Manager - Online Service (Web-Application) 2016 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Microsoft 
Skype Manager online service web-application.
The vulnerability allows to bypass a secure set filter restriction of the 
web-application to deny unauthorized 
interaction by criminals on account take-over attacks.

Filter bypass is a vulnerability which performs evasion on a certain filter and 
bypasses it, in this case it was able to bypass 
the filter which didn`t allow a user/attacker to change his email without 
entering his password etc.. but with this filter bypass
you can just change ur email simply through being inside the account, you don`t 
even have to know the account`s password.

This filter bypass is done because there isn`t enough validation/checking 
inside the API which didn`t check if its his actual email 
or if he can actually change it, in addition, this vulnerability easily allowed 
Full account Takeover once exploited, simply a 
hacker would hack into an account throgh session but he wouldn`t have full 
access because he doesn`t have the password, but this 
filter bypass allowed him to change password then send a change password link 
to the changed email which is his hacking email, 
and then he resets the password and tadaa! he now has full access to the 
account.

The security risk of the filter bypass vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 5.2. 
Exploitation of the filter and validation web vulnerability requires a low 
privileged skype user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in an account take-over 
one malicious interaction.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged 
skype web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1.  Go to manager.skype.com
2.  Register for a manager company if you haven't already
3.  Go to your user/member's settings of your own account
4.  Go down to Contact details
5.  Right click on your email address >> inspect element
6.  Find the link with <input type="hidden" id="personalEmailHidden" 
name="personal_email" value=""........
7.  Edit value="" to your new email you want to change to (example: 
value="karim@xxxxxxxxxxxxxx")
8.  Click out of the box and make sure the value was set inside the page via 
inspect element
9.  Click Save Changes
10. BamBam! The email has been changed!
NOTE: An alternative to the inspect element method is tampering the request 
once clicking save changes and editing the "personal_email" post value inside 
the post request to the email you want to change to.


PoC Video: How Filter Bypass Changed Email
https://www.youtube.com/watch?v=mDvMCOY4wMc

How This Filter Bypass Lead to full account takeover:
https://www.youtube.com/watch?v=fiJpqOoYDjs


Solution - Fix & Patch:
=======================
The bug can be fixed by disallowing the use the hidden function to reset an 
account without usage of the skype password to confirm.


Security Risk:
==============
The security risk of the unauthorized email change  in the skype manager 
application is estimated as medium. (CVSS 5.2) 
Changing a Skype users email is leading to a full account takeover finally as 
far as the conditions do match with the case scenario.


Credits & Authors:
==================
Karim Rahal [Karim@xxxxxxxxxxxxxx / KarimMTV@xxxxxxxxxxxx] - @KarimMTV


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2016 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] t2'16: Call For Papers 2016 (Helsinki, Finland)
Next by Date: [FD] Notes v4.5 iOS - Arbitrary File Upload Vulnerability
Previous by thread: [FD] t2'16: Call For Papers 2016 (Helsinki, Finland)
Next by thread: [FD] Notes v4.5 iOS - Arbitrary File Upload Vulnerability
Index(es):
- Date
- Thread