Document Title:
===============
Skype Manager - (Email Change) Filter Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1672

MSRC Case 32353 TRK:0001002845


Release Date:
=============
2016-05-09


Vulnerability Laboratory ID (VL-ID):
====================================
1672


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur 
Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate 
with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone 
networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged 
via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing. 
Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com.

Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters 
in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia.

Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers 
running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype 
on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, 
and security concerns.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a hidden function to change unauthorized email accounts of the official Skype Manager web-application.


Vulnerability Disclosure Timeline:
==================================
2016-01-19: Researcher Notification & Coordination (Karim Rahal)
2016-01-20: Vendor Notification (MSRC - Skype Security Team)
2016-01-28: Vendor Response/Feedback (MSRC - Skype Security Team)
2016-05-05: Vendor Fix/Patch #(Microsoft Skype Developer Team)
2016-05-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: Skype Manager - Online Service (Web-Application) 2016 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Microsoft Skype Manager online service web-application.
The vulnerability allows to bypass a secure set filter restriction of the web-application to deny unauthorized 
interaction by criminals on account take-over attacks.

Filter bypass is a vulnerability which performs evasion on a certain filter and bypasses it, in this case it was able to bypass 
the filter which didn`t allow a user/attacker to change his email without entering his password etc.. but with this filter bypass
you can just change ur email simply through being inside the account, you don`t even have to know the account`s password.

This filter bypass is done because there isn`t enough validation/checking inside the API which didn`t check if its his actual email 
or if he can actually change it, in addition, this vulnerability easily allowed Full account Takeover once exploited, simply a 
hacker would hack into an account throgh session but he wouldn`t have full access because he doesn`t have the password, but this 
filter bypass allowed him to change password then send a change password link to the changed email which is his hacking email, 
and then he resets the password and tadaa! he now has full access to the account.

The security risk of the filter bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.2. 
Exploitation of the filter and validation web vulnerability requires a low privileged skype user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in an account take-over one malicious interaction.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged skype web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1.  Go to manager.skype.com
2.  Register for a manager company if you haven't already
3.  Go to your user/member's settings of your own account
4.  Go down to Contact details
5.  Right click on your email address >> inspect element
6.  Find the link with <input type="hidden" id="personalEmailHidden" name="personal_email" value=""........
7.  Edit value="" to your new email you want to change to (example: value="karim@karimrahal.com")
8.  Click out of the box and make sure the value was set inside the page via inspect element
9.  Click Save Changes
10. BamBam! The email has been changed!
NOTE: An alternative to the inspect element method is tampering the request once clicking save changes and editing the "personal_email" post value inside the post request to the email you want to change to.


PoC Video: How Filter Bypass Changed Email
https://www.youtube.com/watch?v=mDvMCOY4wMc

How This Filter Bypass Lead to full account takeover:
https://www.youtube.com/watch?v=fiJpqOoYDjs


Solution - Fix & Patch:
=======================
The bug can be fixed by disallowing the use the hidden function to reset an account without usage of the skype password to confirm.


Security Risk:
==============
The security risk of the unauthorized email change  in the skype manager application is estimated as medium. (CVSS 5.2) 
Changing a Skype users email is leading to a full account takeover finally as far as the conditions do match with the case scenario.


Credits & Authors:
==================
Karim Rahal [Karim@karimrahal.com / KarimMTV@elitesec.org] - @KarimMTV


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com