June 6th, 2008

Skype patches security policy bypassing vulnerability

Posted by Dancho Danchev @ 1:38 am

Categories: Arbitrary Code Execution, Patch Watch, Viruses and Worms, Vulnerability research

Tags: Skype, Instant Messaging, File URI Security Bypass, Security, Cyberthreats, iDefense, Ismael Briones, Dancho Danchev

In a security bulletin issued two days ago, Skype’s latest version fixes a File URI Security Bypass Code Execution Vulnerability originally reported by Ismael Briones :

Remote exploitation of a security policy bypass in Skype could allow an attacker to execute arbitrary code in the context of the user.

The “file:” URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted file extension, a security warning dialog is shown to the user. The following file extensions are checked and considered dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program. First of all, checking is performed using a case sensitive comparison. The second flaw in this check is that the blacklist fails to mention all potential executable file formats. By using at least one upper case character, or using an executable file type that is not covered in the list, an attacker can bypass the security warning.

Basically, while a link including .exe would trigger a warning message for potentially malicious file, a link including .exE wouldn’t. Affected are all Skype Windows clients prior to and including 3.8.*.115, with the vulnerability already fixed in versions 3.8.0.139. How effective is the blacklisted executable file extensions filter in general? Let’s say not as effective as it used to be couple of years ago when the end users were advised not to click on executable files, and avoid visiting suspicious sites. Nowadays, legitimate web sites are increasingly serving malware through their susceptibility to SQL injection, and links to what looks like image files distributed over IM networks on behalf of malware attempting to infect new hosts, are nothing more but redirectors to the live exploit URLs.

Modern malware authors are also fully aware of the “executable file extensions” blocking mentality, in fact the majority of free services offering web space do not allow uploading of executable files in order to at least theoretically prevent the abuse of their services to host and spread malware. Malware authors adapt by bypassing the block and host the malware in a .jpg image file extension which later one gets locally saved on the infected machine as an executable file. Here’s an example of a spoofed executable file festaaqui .com /img/ gmillogof.jpg, and despite that it’s visually looking as an image file, 23 out of 32 antivirus scanners already detect its real intentions (TrojanSpy.Banker) which in this case are to steal your E-banking details.

Considering the existence of nasty vulnerabilities allowing code execution while processing malformed image files or other types of video multimedia, one should consider breaking out of the dangerous executable file extensions stereotype, and look beyond the file extension.