Skype URI Handler Command Switch Parsing Vulnerability

By | May 22, 2006

During the typical installation of the Windows Skype client, several URI handlers are installed. This allows for easy access to the Skype client through various URI types. Due to a flaw in the handling of one of these types, it is possible to include additional command line switches to be passed to the Skype client. One of these switches will initiate a file transfer, sending the specified file to an arbitrary Skype user.

Exploitation occurs when the victim opens the exploit URI in Internet Explorer. This requires the victim to visit a website under the attackers control, or to be convinced into opening a malicious HTML page. Clicking on a link is not required, as this action can be automated in various ways using scripting language.

For the attack to be successful the attacker must know the location of the requested file on the victims machine. One common target file would be the victims Skype configuration file.

For the file transfer to succeed the attacker must have authorised the victim, which can be done by adding the victim to the attackers contact list. This does not require any authorisation from the victim Skype user.

Other Skype command line switches could also be exploited to manipulate or obtain the Skype users credentials, under similar situations.

Discovered and advised to Skype Limited May, 2006 by Brett Moore of Security-Assessment.com

Leave a Reply