# Vuln Title: Skype Click to Call Update Service local privilege escalation
# Date: 10.12.2012
# Author: otr
# Software Link: http://www.skype.com
# Vendor: Microsoft Corporation
# Version: <= 6.2.0.106
# Tested on: Windows 7, Windows XP
# Type: Privilege Escalation, DLL Hijacking
#
# CVE : MS does not assign CVE for Skype vulnerabilities
# Risk: Medium
# 
# Status: disclosed

Timeline:

2012-12-10 Flaw Discovered
2013-01-07 Vendor contacted
2013-01-08 Vendor response
2013-02-07 Vendor works on fix
2013-02-11 Vendor provides fix
2013-03-15 Public disclosure

Summary:

The default installation of Skype is vulnerable to a local privilege escalation
attack that allows an unprivileged attacker to execute arbitrary code with NT
AUTHORITY/SYSTEM privileges.

Context:

The Click to Call feature installed together with Skype is run as a service with
SYSTEM privileges on Windows systems. An unprivileged user may use the
c2c_service.exe to elevate his privileges on the system. The Skype Click to Call
Update Service is not always installed by the Skype installer. In particular it
is not installed (and no further option is given to do so) if the user cancels
the installation of Skype and then starts it again (even if the Click to Call
feature was selected the first time the installer was run). This may actually
constitute another bug, though not security relevant. However if the user
installs Skype with all the default options in one run the service usually is
present on the system.

Vulnerability:

The application directory of c2c_service.exe is writable by everybody. As
c2c_service.exe loads various shared libraries in an unsafe way it is prone to a
dll search order hijacking vulnerability (the application tries to load required
dlls from its application directory first). Even without order hijacking it is
possible to load a custom dll into the c2c_service.exe as it searches explicitly
in its own application directory for the file msi.dll and loads it if found.

Depending on the Windows version the Skype C2C Service application directory
differs:

On Windows 7:
C:\ProgramData\Skype\Toolbars\Skype C2C Service

On Windows XP:
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service

In order to get successful code execution the attacker needs to force the Click
to Call service to be restarted. This can be archieved by rebooting the system.

Exploitation Steps:

Example using a modified msi.dll. In this case msi.dll simply imports another
dll in order to keep the exploit and the payload seperate.

- Modify original msi.dll to import another dll, e.g. payload.dll
  # wine binject  -i msi.dll -m payload.dll -o msi-import-payload.dll
- Create payload.dll file
  # msfpayload windows/adduser D > payload.dll
- Copy modified msi.dll inside the "Skype C2C Service" directory
- Copy payload.dll inside "Skype C2C Service" directory
- Restart Windows
- payload.dll is run with SYSTEM privileges.

Possible Mitigations and Fixes:

- securely load dlls using modified options for LoadLibraryEx (setting
  LOAD_LIBRARY_SEARCH_SYSTEM32 only in dwFlags) by modifying the program
- disable loading msi.dll from the APPLICATION_DIR
- make the "Skype C2C Service" folder is not world-writable
- run the c2c_services.exe with lower privileges
- uninstall the "Skype Click to Call Update Service"

Fix:

This issue was fixed in the February update of Skype by revoking write
permission to the concerned folder.