Executive Summary

Summary
Title SkypeFind fails to properly sanitize user-supplied input
Informations
Name VU#794236 First vendor Publication 2008-02-13
Vendor VU-CERT Last vendor Modification 2008-02-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#794236

SkypeFind fails to properly sanitize user-supplied input

Overview

The Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.

I. Description

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.

Skype does not properly filter input that was supplied to the SkypeFind full name field. An attacker may be able to exploit this vulnerability by injecting script into the full name field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone.

II. Impact

As explained in VU#248184, since the user-supplied script runs in the Local Machine Zone a remote unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Skype has addressed this issue by filtering input supplied to the SkypeFind service.

Restrict access to the Skype URI

Blocking the skype: URI handler by using proxy servers or application firewalls may prevent some remote vulnerabilities in Skype from being exploited without user interaction.

Systems Affected

VendorStatusDate Updated
Skype TechnologiesVulnerable6-Feb-2008

References


http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx
http://msdn2.microsoft.com/en-us/library/ms537183.aspx#local
http://www.skype.com/help/guides/skypefind.html
http://www.kb.cert.org/vuls/id/248184

Credit

This vulnerability was made public by Aviv Raff.

This document was written by Ryan Giobbi.

Other Information

Date Public01/31/2008
Date First Published02/13/2008 11:03:33 AM
Date Last Updated02/13/2008
CERT Advisory 
CVE NameCVE-2008-0582; CVE-2008-0583
US-CERT Technical Alerts 
Metric0.00
Document Revision38

Original Source

Url : http://www.kb.cert.org/vuls/id/794236

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26506
 
Oval ID: oval:org.mitre.oval:def:26506
Title: Cross-zone scripting vulnerability
Description: Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0582
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows 8.1
 Product(s): Skype
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26528
 
Oval ID: oval:org.mitre.oval:def:26528
Title: Cross-zone scripting vulnerability
Description: Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Description and unspecified other metadata fields of a Metacafe movie submitted by Metacafe Pro to the Skype video gallery, accessible through a search within the (1) "Add video to chat" or (2) "Add video to mood" dialog, a different vector than CVE-2008-0454.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0583
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows 8.1
 Product(s): Skype
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 7

Open Source Vulnerability Database (OSVDB)

Id Description
42868 Skype Metacafe Pro Gallery Submitted Movie Multiple Field Cross-zone Scripting
42865 Skype Business Item Entry Reviewer Full Name Field Cross-zone Scripting

Nessus® Vulnerability Scanner

Date Description
2008-02-07 Name : The remote Skype client is affected by a remote code execution issue through ...
File : skype_2008_001.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-05-11 00:57:23
  • Multiple Updates