SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#248184

Skype does not properly filter input from external websites

Overview

The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.

I. Description

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X, and Linux operating systems.

Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.

From SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability:

    Description

    Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality.

    This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.

    In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.

    Discussion

    An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.

    For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.

    The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij.

II. Impact

A remote unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.

Include Skype in the Local Machine Zone Lockdown

Configuring Skype to use the Local Machine Zone Lockdown may prevent this vulnerability from being exploited by preventing Skype from evaluating script in the Local Machine Zone. To set Skype in the Local Machine Zone, edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown registry entry to include the DWORD value Skype.exe and set the Value data to 1. Skype must be completely quit and restarted for the changes to take effect.

Alternatively, the following text can be saved as a .REG file and imported:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown]
    "Skype.exe"=dword:00000001

Note that this workaround does not directly address the vulnerability. The workaround may make cause some of Skype's features to fail or to operate with limited functionality.

Systems Affected
VendorStatusDate NotifiedDate Updated
Skype TechnologiesVulnerable22-Jan-2008

References


http://seclists.org/fulldisclosure/2008/Jan/0328.html
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx
http://www.critical.lt/?opinions/show/1470
http://www.gnucitizen.org/blog/vulnerabilities-in-skype
http://skype.com/security/skype-sb-2008-001.html
http://technet.microsoft.com/en-us/library/bb490630.aspx
http://technet.microsoft.com/en-us/library/bb457150.aspx#EHAA

Credit

This vulnerability was disclosed by Miroslav Lucinskij.

This document was written by Ryan Giobbi.

Other Information

Date Public:2008-01-17
Date First Published:2008-01-22
Date Last Updated:2008-04-29
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:36.09
Document Revision:43

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader