Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-27 Thread Stefan Kanthak 
"Kevin Beaumont"  wrote:

>I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
> version was offered by Windows Update for install.

Thanks for the confirmation.

See  for my writeup of
Skype's and Microsoft's epic failures in this case, including my reply
to the false statements of Microsoft's Ellen Kilbourne.

Stefan

> On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak 
> wrote:
> 
>> "Jeffrey Walton"  wrote:
>>
>> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak 
>> wrote:
>>
>> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
>>
>> > Not sure if this is related, but:
>> >
>> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/
>>
>> This is of course related: after Zack Whittacker published
>> <
>> https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/
>> >
>> some hundred news outlets, bloggers etc. followed up.
>> Except Zack Whittacker nobody contacted me.
>> Many copied his article, some others added their own and wrong
>> interpretation, even pure fiction, like this "WinBuzz":
>>
>> | Microsoft today squashed a bug that was found in Skype's updater
>> | process earlier this week.
>>
>> Wrong. I reported the vulnerability 5 months ago.
>> And Microsoft WONTFIX this vulnerability in Skype 7.x
>>
>> JFTR: 
>>   also WONTFIX
>>
>> [ pure speculation removed ]
>>
>> | It seems Microsoft found an alternative to rewriting code and fixing
>> | Skype. the company has decided to effectively kill off the classic
>> | app. The older version of Skype is no longer available anywhere as a
>> | download.
>>
>> Really?
>>
>> Microsoft Update still offers the "classic" Skype for Windows alias
>> Skype Desktop Client: on Windows 7 (which still has the largest
>> market share) open Windows' control panel, go to Windows Update,
>> switch to Microsoft Update (if not done before), and find KB2876229
>> "Skype for Windows (7.30.0.101)" beyond the optional updates.
>>
>> For those who don't want to or can not start Microsoft Update:
>> the Microsoft Update Catalog offers this and two older versions too
>> 
>>
>>
>> In  Microsoft states:
>>
>> | Skype releases new versions of Skype for Windows throughout the year.
>> | To help you stay current with new functionality| and features of the
>> | Skype experience, Skype is available through Microsoft Update.
>> ...
>> | you will receive the latest version of Skype through Microsoft Update.
>>
>> NO, you DON'T get the latest version of Skype there!
>> And Skype doesn't use Microsoft Update to deliver updates.
>> Microsoft had well over 100 days since they closed MSRC case 40550 to
>> fix this ...
>>
>>
>> stay tuned
>> Stefan Kanthak

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-25 Thread Kevin Beaumont 
I did a fresh install of Win7 Home yesterday and can confirm impacted Skype
version was offered by Windows Update for install.

Kev

On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak 
wrote:

> "Jeffrey Walton"  wrote:
>
> > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak 
> wrote:
>
> [ http://seclists.org/fulldisclosure/2018/Feb/33 ]
>
> > Not sure if this is related, but:
> >
> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/
>
> This is of course related: after Zack Whittacker published
> <
> https://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/
> >
> some hundred news outlets, bloggers etc. followed up.
> Except Zack Whittacker nobody contacted me.
> Many copied his article, some others added their own and wrong
> interpretation, even pure fiction, like this "WinBuzz":
>
> | Microsoft today squashed a bug that was found in Skype's updater
> | process earlier this week.
>
> Wrong. I reported the vulnerability 5 months ago.
> And Microsoft WONTFIX this vulnerability in Skype 7.x
>
> JFTR: 
>   also WONTFIX
>
> [ pure speculation removed ]
>
> | It seems Microsoft found an alternative to rewriting code and fixing
> | Skype. the company has decided to effectively kill off the classic
> | app. The older version of Skype is no longer available anywhere as a
> | download.
>
> Really?
>
> Microsoft Update still offers the "classic" Skype for Windows alias
> Skype Desktop Client: on Windows 7 (which still has the largest
> market share) open Windows' control panel, go to Windows Update,
> switch to Microsoft Update (if not done before), and find KB2876229
> "Skype for Windows (7.30.0.101)" beyond the optional updates.
>
> For those who don't want to or can not start Microsoft Update:
> the Microsoft Update Catalog offers this and two older versions too
> 
>
>
> In  Microsoft states:
>
> | Skype releases new versions of Skype for Windows throughout the year.
> | To help you stay current with new functionality| and features of the
> | Skype experience, Skype is available through Microsoft Update.
> ...
> | you will receive the latest version of Skype through Microsoft Update.
>
> NO, you DON'T get the latest version of Skype there!
> And Skype doesn't use Microsoft Update to deliver updates.
> Microsoft had well over 100 days since they closed MSRC case 40550 to
> fix this ...
>
>
> stay tuned
> Stefan Kanthak
>
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-20 Thread Stefan Kanthak 
"Jeffrey Walton"  wrote:

> On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak  
> wrote:

[ http://seclists.org/fulldisclosure/2018/Feb/33 ]

> Not sure if this is related, but:
> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/

This is of course related: after Zack Whittacker published

some hundred news outlets, bloggers etc. followed up.
Except Zack Whittacker nobody contacted me.
Many copied his article, some others added their own and wrong
interpretation, even pure fiction, like this "WinBuzz":

| Microsoft today squashed a bug that was found in Skype's updater
| process earlier this week.

Wrong. I reported the vulnerability 5 months ago.
And Microsoft WONTFIX this vulnerability in Skype 7.x

JFTR: 
  also WONTFIX

[ pure speculation removed ]

| It seems Microsoft found an alternative to rewriting code and fixing
| Skype. the company has decided to effectively kill off the classic
| app. The older version of Skype is no longer available anywhere as a
| download.

Really?

Microsoft Update still offers the "classic" Skype for Windows alias
Skype Desktop Client: on Windows 7 (which still has the largest
market share) open Windows' control panel, go to Windows Update,
switch to Microsoft Update (if not done before), and find KB2876229
"Skype for Windows (7.30.0.101)" beyond the optional updates.

For those who don't want to or can not start Microsoft Update:
the Microsoft Update Catalog offers this and two older versions too



In  Microsoft states:

| Skype releases new versions of Skype for Windows throughout the year.
| To help you stay current with new functionality| and features of the
| Skype experience, Skype is available through Microsoft Update.
...
| you will receive the latest version of Skype through Microsoft Update.

NO, you DON'T get the latest version of Skype there!
And Skype doesn't use Microsoft Update to deliver updates.
Microsoft had well over 100 days since they closed MSRC case 40550 to
fix this ...


stay tuned
Stefan Kanthak

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-16 Thread Jeffrey Walton 
On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak  wrote:
> Hi @ll,
>
> since about two or three years now, Microsoft offers Skype as
> optional update on Windows/Microsoft Update.
>
> JFTR: for Microsoft's euphemistic use of "update" see
>   
>
> Once installed, Skype uses its own proprietary update mechanism
> instead of Windows/Microsoft Update: Skype periodically runs
> "%ProgramFiles%\Skype\Updater\Updater.exe"
> under the SYSTEM account.
> When an update is available, Updater.exe copies/extracts another
> executable as "%SystemRoot%\Temp\SKY.tmp" and executes it
> using the command line
> "%SystemRoot%\Temp\SKY.tmp" /QUIET
>
> This executable is vulnerable to DLL hijacking: it loads at least
> UXTheme.dll from its application directory %SystemRoot%\Temp\
> instead from Windows' system directory.
>
> An unprivileged (local) user who is able to place UXTheme.dll or
> any of the other DLLs loaded by the vulnerable executable in
> %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
> account.
>
>
> The attack vector is well-known and well-documented as CAPEC-471:
> 
>
> Microsoft published plenty advice/guidance to avoid this beginner's
> error: ,
> ,
> 
> and
> 
> ... which their own developers and their QA but seem to ignore!
>
> See 
> for the same vulnerability in another Microsoft product!

Not sure if this is related, but:
https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/

Microsoft today squashed a bug that was found in Skype’s updater
process earlier this week. However, it seems the company’s method for
stopping the flaw is to kill off the Skype classic experience. If that
is the case, users of Skype on Windows 7 and Windows 8.1 could lose
access to the service.

As reported on Monday, a security vulnerability could give hackers
access to system-level privileges. If properly exploited, attackers
could use Skype as a backdoor to get full system rights and enter all
areas of an operating system.

In response, Microsoft said it was unable to fix the bug immediately
because it would require a lot of work. Indeed, the company said patch
the flaw would take a massive code rewrite. In other words, Microsoft
would need to overhaul the whole underpinning of the classic Skype
program.

It seems Microsoft found an alternative to rewriting code and fixing
Skype… the company has decided to effectively kill off the classic
app. The older version of Skype is no longer available anywhere as a
download.
...

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-09 Thread Stefan Kanthak 
Hi @ll,

since about two or three years now, Microsoft offers Skype as
optional update on Windows/Microsoft Update.

JFTR: for Microsoft's euphemistic use of "update" see
  

Once installed, Skype uses its own proprietary update mechanism
instead of Windows/Microsoft Update: Skype periodically runs
"%ProgramFiles%\Skype\Updater\Updater.exe"
under the SYSTEM account.
When an update is available, Updater.exe copies/extracts another
executable as "%SystemRoot%\Temp\SKY.tmp" and executes it
using the command line
"%SystemRoot%\Temp\SKY.tmp" /QUIET

This executable is vulnerable to DLL hijacking: it loads at least
UXTheme.dll from its application directory %SystemRoot%\Temp\
instead from Windows' system directory.

An unprivileged (local) user who is able to place UXTheme.dll or
any of the other DLLs loaded by the vulnerable executable in
%SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
account.


The attack vector is well-known and well-documented as CAPEC-471:


Microsoft published plenty advice/guidance to avoid this beginner's
error: ,
,

and

... which their own developers and their QA but seem to ignore!


See 
for the same vulnerability in another Microsoft product!


stay tuned
Stefan Kanthak


Timeline:
~

2017-09-02vulnerability report sent to vendor

2017-09-03reply from vendor: "MSRC case 40550 opened"

2017-09-06notification from vendor's case manager: "report passed
  to product group for investigation"

2017-10-27reply from vendor's case manager:

  "The engineers provided me with an update on this case.
   They've reviewed the code and were able to reproduce
   the issue, but have determined that the fix will be
   implemented in a newer version of the product rather
   than a security update. The team is planning on shipping
   a newer version of the client, and this current version
   will slowly be deprecated. The installer would need a
   large code revision to prevent DLL injection, but all
   resources have been put toward development of the new
   client."

2018-02-09report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/