Lab Researcher discovered Microsoft Skype Denial of Service Vulnerability

Microsoft Skype Mobile v8.x - Remote Denial of Service Vulnerability

Vulnerability Labs core team discovered a new denial of service vulnerability and rendering problem in Skype Mobile Client v8.12 and v8.13 this week. The vulnerability can be triggered by sending a special smiley (emoticon) content message remotely. The security problem can be triggered locally and remotely. The problem concerns the mobile client for Android and ios and was demonstrated by ios on Samsung device with a poc video.

The security vulnerability was reported to the microsoft corporation in february (2018-02-03) with MSRC ID 43520 by the vulnerability laboratory core research team.

The vulnerability is in the function to convert the size of the transferred images on display. When transferring an image from the skype Windows software client (computer system) to the mobile skype clients (ios & android), a memory error occurs when adapting the smiley graphics. Attackers can copy the incorrectly formatted smiley by quota from the message that is sent in a faulty format with a permanent resizing. The attackers can now transfer the copied Smilie into conversations in order to crash it with a memory error.

When transferring the smilies by quotation or by copying, the harmful content can be transferred to other input fields, which then also cause a local memory error in the display. The demo video shows how an attacker can use the content locally to crash himself or other Skype clients like Samsung. The memory error can be used locally and remotely, but it is not possible to overwrite active registers from the process to permanently endanger them.

Exploiting the vulnerability leads to crashes, massive synchronization problems and unhandled memory errors in the mobile Skype ios and Android software client. Skype for Windows, Linux and MacOS operating systems are not affected by the problem, but must be used to bring the malicious content to the Skype mobile client board.

Video: Skype Mobile Software Client v8.12 v8.13 - Remote Denial of Service Vulnerability

When copying the incorrect content within the message field, the characters are removed to ensure that the correct formats are delivered. The security issue has been fixed 2018-03-20 in skype's mobile clients v8.16 for ios and android. About one month after delivery of the report, the security problem was resolved with the latest updates v8.16 next to April 2018. Thanks to the msrc team and our coordinator.

Advisory: https://www.vulnerability-lab.com/get_content.php?id=2116

Video: https://www.vulnerability-lab.com/get_content.php?id=2117