Timeline:
2012-12-10 Flaw Discovered
2013-01-07 Vendor contacted
2013-01-08 Vendor response
2013-02-07 Vendor works on fix
2013-02-11 Vendor provides fix
2013-03-15 Public disclosure
Summary:
The default installation of Skype is vulnerable to a local privilege escalation
attack that allows an unprivileged attacker to execute arbitrary code with NT
AUTHORITY/SYSTEM privileges.
Context:
The Click to Call feature installed together with Skype is run as a service with
SYSTEM privileges on Windows systems. An unprivileged user may use the
c2c_service.exe to elevate his privileges on the system. The Skype Click to Call
Update Service is not always installed by the Skype installer. In particular it
is not installed (and no further option is given to do so) if the user cancels
the installation of Skype and then starts it again (even if the Click to Call
feature was selected the first time the installer was run). This may actually
constitute another bug, though not security relevant. However if the user
installs Skype with all the default options in one run the service usually is
present on the system.
Vulnerability:
The application directory of c2c_service.exe is writable by everybody. As
c2c_service.exe loads various shared libraries in an unsafe way it is prone to a
dll search order hijacking vulnerability (the application tries to load required
dlls from its application directory first). Even without order hijacking it is
possible to load a custom dll into the c2c_service.exe as it searches explicitly
in its own application directory for the file msi.dll and loads it if found.
Depending on the Windows version the Skype C2C Service application directory
differs:
On Windows 7:
C:\ProgramData\Skype\Toolbars\Skype C2C Service
On Windows XP:
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service
In order to get successful code execution the attacker needs to force the Click
to Call service to be restarted. This can be archieved by rebooting the system.
Exploitation Steps:
Example using a modified msi.dll. In this case msi.dll simply imports another
dll in order to keep the exploit and the payload seperate.
Possible Mitigations and Fixes:
Fix:
This issue was fixed in the February update of Skype by revoking write
permission to the concerned folder.