[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- From: Jeffrey Walton <noloader AT gmail.com>
- Subject: Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
- Date: Wed, 14 Feb 2018 21:07:46 -0500
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=20161025 header.b=ZXQypyk2; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 220.127.116.11 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:to:message-id:date:from:references:in-reply-to :mime-version:dkim-signature:delivered-to:arc-authentication-results; bh=hPiz9vzIaa5CMsoypp9aSTCBGf+qXrQopK5dL7JEH1I=; b=KcJ9xUVbJ7Co0DCsU95Uhg+Ot+3ha53MZn19XKlB3kGSGIhmNuWSyd1TMsG3nwY3C7 we4QUKwU37OwQtwMrjQJ205W9EMbJhd4HVFyCk3DYB0aEUSy/PHWA+ZEJEffpHWab2WW c+nyDUr64pOvczKHoAt2GZiVDVYqRjbmiBWe/ZEBpKLPesVwMcK7ZSc5WkELj4T/Lfp1 UqFhhcy6I8cpuxz6N7XxqIbtHp0UqQUYHbHEjQvXiRnQFVOlDDzevCKT6GHXo6kB5TVx Q5RjYz2tOannzjhF8ZmcOqcj6SAkZ6/Cufeyzi/cY1v83D7AVK2GHJnazToOg/4ni8dN zHgQ==
- Arc-seal: i=1; a=rsa-sha256; t=1518805142; cv=none; d=google.com; s=arc-20160816; b=agm9kXde0mSeogudUXFpfUzHC53GBfj7iTf6TFl6Lhxn+tezdHTsJBGLEVaSqIQ5HQ 0cIlpnoBByBqwOjJ/8R3UO8oUtcuskJ+wCSf3Kp2/o6fXBLJ+P2P1quEsuj+nDynPjJZ OMtZsx17MCJ18uoZLPvN3AhfWCNpsNd05Oaj0bBhDTDnO27j5WZMVmaiqR0ODVIqa/aG AEBHgFrLaVJBSUuAoXxKztxAwvgKUPIxCr9eX9DDKqpcKpa5IF3Ditltri1Aa1bh+sxa 3CeKJLtYO09BYHSpazVyyVb5te4wJMsSdK7sZbbqnhOk3qjnq6+lV1Je7NmHlJjX0ys5 gd1g==
- Cc: Full Disclosure List <fulldisclosure AT seclists.org>, BugTraq <bugtraq AT securityfocus.com>
- Reply-to: noloader AT gmail.com
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: Stefan Kanthak <stefan.kanthak AT nexgo.de>
On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kanthak AT nexgo.de> wrote:
> Hi @ll,
> since about two or three years now, Microsoft offers Skype as
> optional update on Windows/Microsoft Update.
> JFTR: for Microsoft's euphemistic use of "update" see
> Once installed, Skype uses its own proprietary update mechanism
> instead of Windows/Microsoft Update: Skype periodically runs
> under the SYSTEM account.
> When an update is available, Updater.exe copies/extracts another
> executable as "%SystemRoot%\Temp\SKY<abcd>.tmp" and executes it
> using the command line
> "%SystemRoot%\Temp\SKY<abcd>.tmp" /QUIET
> This executable is vulnerable to DLL hijacking: it loads at least
> UXTheme.dll from its application directory %SystemRoot%\Temp\
> instead from Windows' system directory.
> An unprivileged (local) user who is able to place UXTheme.dll or
> any of the other DLLs loaded by the vulnerable executable in
> %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
> The attack vector is well-known and well-documented as CAPEC-471:
> Microsoft published plenty advice/guidance to avoid this beginner's
> error: <https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
> ... which their own developers and their QA but seem to ignore!
> See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440>
> for the same vulnerability in another Microsoft product!
Not sure if this is related, but:
Microsoft today squashed a bug that was found in Skype’s updater
process earlier this week. However, it seems the company’s method for
stopping the flaw is to kill off the Skype classic experience. If that
is the case, users of Skype on Windows 7 and Windows 8.1 could lose
access to the service.
As reported on Monday, a security vulnerability could give hackers
access to system-level privileges. If properly exploited, attackers
could use Skype as a backdoor to get full system rights and enter all
areas of an operating system.
In response, Microsoft said it was unable to fix the bug immediately
because it would require a lot of work. Indeed, the company said patch
the flaw would take a massive code rewrite. In other words, Microsoft
would need to overhaul the whole underpinning of the classic Skype
It seems Microsoft found an alternative to rewriting code and fixing
Skype… the company has decided to effectively kill off the classic
app. The older version of Skype is no longer available anywhere as a
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/