In this Section

Security Advisory – Microsoft Skype for Business 2016 Unauthorised Script Execution Vulnerability

pdf_symbol

Sense of Security – Security Advisory – SOS-15-005.

Release Date. 20-Nov- 2015
Last Update.
Vendor Notification Date. 30-Sep-2015
Products. Microsoft Skype for Business 2016 Server
Microsoft Skype for Business 2016 Clients
Microsoft Lync 2013 Server
Microsoft Lync 2013 Clients
Microsoft Lync 2010 Server
Microsoft Lync 2010 Clients
Microsoft Lync Room System
Affected versions. All versions
Severity Rating. High
Impact. Security bypass
Manipulation of data
Cross-site scripting
Information disclosure
Attack Vector. Remote with authentication
Remote without authentication through federations,meetings and SIP gateways connected
Solution Status. Vendor patch
CVE reference. CVE-2015-6061:


Details.

The Microsoft Skype for Business (a.k.a Lync) product family provides corporate communications infrastructure, cloud services and clients for enterprise companies. It supports Instant Messaging (IM), SIP/SIPE and XMPP services for traditional calls, instant messaging, meetings and productive sharing such as file, desktop or presentation sharing. Current versions of these products are vulnerable to content manipulation, multiple Cross-Site Scripting (XSS) injections and URL filter bypass vulnerabilities. The vulnerabilities below allow authenticated attackers to inject malicious content in the IM messages and SIP INVITE requests that are delivered through the MS Lync, Skype for Business or Office 365 platforms. They can be also be exploited through federated  connections, meeting requests, SIP trunks and PSTN gateways without authentication. Malformed IM messages or SIP INVITE requests can be used to compromise multiple clients without user interaction. Exploitation vectors of these vulnerabilities depend on the corporate communication design and implementation.

Clients of the federations connected, public meeting invitation requests, open meetings, bulk IM messages and SIP trust relationships can be used for mass compromise attacks.

1. Microsoft Skype for Business 2016 Server – IM URL filter bypass using content obfuscation Microsoft Skype for Business server has a security mitigation known as IM URL filter which is disabled by default. This feature can be enabled by administrators to avoid URL injections in IM messages such as call, HTTPS and SIP URLs. Attackers can bypass the IM URL filter using JavaScript content or content obfuscation. This allows attackers to inject valid URLs to the IM sessions for phishing or social engineering attacks.

2. Microsoft Skype for Business 2016 Client – Unauthorised execution of HTML/JavaScript in SIP MESSAGE requests The Microsoft Skype for Business 2016 client uses the lynchtmlconv.exe component for HTML based IM sessions. Lynchtmlconv.exe allows attackers to execute HTML and JavaScript content in the IM context without user interaction. Attackers can invite a victim user to an IM session using a SIP INVITE request. Even if the victim user does not answer that invitation; attackers can send another SIP MESSAGE which contains malicious JavaScript content in the same context. Lynchtmlconv.exe parses and executes JavaScript in the message without user interaction or approval.

Attackers can use this vulnerability to open a malicious web page using the default browser, to execute a browser exploit, to open another IM session with someone else, or to trigger other URIs defined on the client’s system for another application.

3. Microsoft Skype for Business 2016 Client – Unauthorised execution of the HTML/JavaScript in SIP INVITE requests The Microsoft Skype for Business 2016 client uses the lynchtmlconv.exe component for HTML based IM sessions, but it is also used for HTML based INVITE request subjects. Lynchtmlconv.exe allows attackers to execute HTML and JavaScript content in the SIP INVITE header without user interaction. Attackers can invite a victim user to an IM session using a malicious SIP INVITE request. It is irrelevant whether the victim user accepts the invitation or not, the malicious content will be executed. The INVITE subject is a header that contains the malicious content, and it can also be forwarded by the SIP trunks or proxies. Attackers can use this vulnerability to open a malicious web page using the default browser, to execute a browser exploit, to open another IM session with someone else, or to trigger other URIs defined on the client’s system for another application.

 

Exploits.

1. IM URL filter bypass:

<script>var u1=“ht”; u2=“tp”; u3=“://”;o=“w”; k=“.”; i=““;
u4=i.concat(o,o,o,k);
window.location=u1+u2+u3+u4+”senseofsecurity.com”</script>

2. SIP MESSAGE content:

<script>window.location=””
</script>

3. SIP INVITE header:

Ms-IM-Format:  text/html;  charset=UTF-8;  ms-
body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cuc2Vuc2
VvZnNlY3VyaXR5LmNvbS5hdSI8L3NjcmlwdD4K

 

Solution.

Install the security patches released by Microsoft and follow the instructions

contained in the security advisory below.

Microsoft Security Bulletin MS15-123 – Important Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure (3105872)

https://technet.microsoft.com/library/security/ms15-123

 

Discovered by.

Fatih Ozavci from Sense of Security Labs.

 

Tool.

Viproxy-2.0

 

Presentation.

Black Hat Europe – VoIP Wars: Destroying Jar Jar Lync