So for those of you who don’t have your ear on the #skype4B hash tag on twitter (and you should) nyxgeek released an exploit for the Skype4B 2016 and Lync 2103/Skype4B 2015 Click to Run Client, that exploits XSS to allow for remote website execution without user interaction on the receiving users machine.
On the surface that sounds quite simple, but compacted with some other exploits this could be used to quickly infect an otherwise protected machine.
This is an interesting exploit as Skype4B bypasses any mail filtering and therefore any URL parsing the mail filter your organisation has, enabling you to send the user to a drive by download website and infect them with something like Cryptolocker.
The Exploit requires a few things.
- The Attacker needs access to a publicly trusted Skype4B or Lync deployment on their PC with the Lync SDK installed (or privately federated with your company)
- The Victim must be running the Skype4B Click to Run Client version 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower.
- The Attacker and Victim must be able to communicate, Either via the same deployment or via federation
- The user needs to be online to receive the message, but does not need to accept it.
The Attacker then sends a specially crafted IM Message with some script code embedded that will execute on the Victims machine
The Victim wont see the embedded code, but they will see other parts of the message from a contact they don’t know.
The Skype4B client then blindly executes the code, this could open the default browser and send them to a URL (like I do below) or invoke any URI that’s accepted on the users machine
Microsoft fixed this issue on 6/14/2017 and more information is available from them directly at the following link
According to the Microsoft Security Guidance Portal and checking the release notes of the MSI patches. This only affects Office365 Click to Run (C2R) clients
In short, Ensure your company has at least security updates enabled in your Office365 deployment. This fix is in all Release Streams, for more information of the Office365 Release Streams. Go here.
The steps to recreate this are quite simple
Download the Lync 2013 SDK
If you’re using the Skype for Business 2016 client. Use the following registry entry to trick the SDK to install
<span class="typ">Windows</span> <span class="typ">Registry</span> <span class="typ">Editor</span> <span class="typ">Version</span> <span class="lit">5.00</span>
<span class="pun">[</span><span class="pln">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\1</span><span class="lit">5.0</span><span class="pln">\Lync</span><span class="pun">]</span>
<span class="str">"InstallationDirectory"</span><span class="pun">=</span><span class="str">""</span>
If you dont have Visual Studio installed, Use your favourite compression tool to extract the Lync SDK download
Follow the bouncing ball and install the SDK’s
Depending on your installation you may need to update the powershell module path in the script, mine was located at
C:\Program Files (x86)\Microsoft Office 2013\LyncSDK\Assemblies\Desktop
Dont forget to change the URL to a good old Rick-roll (Sorry Chris)
and Run the script.
The user will have just had a rick-roll pop up on their screen without needing to do anything at all.
Not so harmful is it? Now consider that you can direct the user to any webpage that auto installs CryptoLocker and you see why its such a pain.
The fix is simple, make sure your clients are running better than version: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or you keep upto date by using the Office365 Click to Run client.
16.0.7830.1018 applies to the click-to-run version only. Is the MSI version not affected or is there no fix yet?
Hi Dan, I’ve updated the article. The CVE only applies to the Click to Run version and Microsoft hasn’t released any information suggesting the exploit exists on the MSI version. At the moment I’d be inclined to believe that only the C2R version is affected.