[NT] Skype File URI Security Bypass Code Execution Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 9 Jun 2008 09:56:09 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Skype File URI Security Bypass Code Execution Vulnerability
Skype is "a freely available VOIP client that allows access to chat and
video conference with other Skype users and traditional telephone
numbers". Remote exploitation of a security policy bypass in Skype could
allow an attacker to execute arbitrary code in the context of the user.
* Skype version 18.104.22.168
* Skype version 22.214.171.124
The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The
following file extensions are checked and considered dangerous by Skype;
ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll,
eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.
Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program. First of all,
checking is performed using a case sensitive comparison. The second flaw
in this check is that the blacklist fails to mention all potential
executable file formats. By using at least one upper case character, or
using an executable file type that is not covered in the list, an attacker
can bypass the security warning.
Exploitation of this issue allows an attacker to execute arbitrary code on
the targeted user's machine. An attacker would need to persuade a targeted
user to click a "file:" URI pointing to a malicious executable.
Skype has addressed this vulnerability by releasing version 126.96.36.199. For
more information consult their advisory at the following URL.
05/16/2008 - Initial vendor notification
05/17/2008 - Initial vendor response
06/04/2008 - Coordinated public disclosure
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] VMware Multiple Products vmware-authd Untrusted Library Loading Vulnerability
- Next by Date: [NT] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
- Previous by thread: [UNIX] VMware Multiple Products vmware-authd Untrusted Library Loading Vulnerability
- Next by thread: [NT] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities