<<< Date Index >>>     <<< Thread Index >>>

Skype - URI Handler Command Switch Parsing



========================================================================
= Skype - URI Handler Command Switch Parsing
=
= Vendor Website: 
= http://www.skype.com
=
= Affected Version:
=   Skype for Windows:
=     All releases prior to and including 2.0.*.104
=     Release 2.5.*.0 to and including 2.5.*.78
=
= Public disclosure on May 22, 2006
========================================================================

== Overview ==

During the typical installation of the Windows Skype client, several
URI handlers are installed. This allows for easy access to the Skype
client through various URI types.

Due to a flaw in the handling of one of these types, it is possible to
include additional command line switches to be passed to the Skype
client. One of these switches will initiate a file transfer, sending 
the specified file to an arbitrary Skype user. 

== Exploitation ==

Exploitation occurs when the victim opens the exploit URI in Internet
Explorer. This requires the victim to visit a website under the
attackers
control, or to be convinced into opening a malicious HTML page. Clicking

on a link is not required, as this action can be automated in various 
ways using scripting language.

For the attack to be successful the attacker must know the location
of the requested file on the victims machine. One common target file
would be the victims Skype configuration file.

For the file transfer to succeed the attacker must have authorised
the victim, which can be done by adding the victim to the attackers
contact list. This does not require any authorisation from the 
victim Skype user.

Other Skype command line switches could also be exploited to manipulate
or obtain the Skype users credentials, under similar situations.
 
== Solutions ==

- Install the vendor supplied upgrade
  http://www.skype.com/security/skype-sb-2006-001.html
 
== Credit ==

Discovered and advised to Skype Limited May, 2006 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is New Zealand's leading team of Information 
Security consultants specialising in providing high quality Information
Security services to clients throughout Australasia. Our clients range
from small businesses to some of the largest globally recognized
companies.
Security-Assessment.com has no vendor relationships and positions itself
as the only independent security assurance provider in New Zealand.