So for those of you who don’t have your ear on the #skype4B hash tag on twitter (and you should) nyxgeek released and exploit for the Skype4B client (and possibly Lync, I haven’t tested yet) that exploits XSS to allow for remote website execution without user interaction
On the surface that sounds quite simple, but compacted with some other exploits this could be used to quickly infect an otherwise protected machine.
This is a dangerous exploit as Skype4B bypasses any mail filtering and therefore any URL parsing the mail filter your organisation has, enabling you to send the user to a drive by download website and infect them with something like Cryptolocker.
The steps to recreate this are quite simple
Download the Lync 2013 SDK
If you’re using the Skype for Business 2016 client. Use the following registry entry to trick the SDK to install
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\Lync] "InstallationDirectory"=""
If you dont have Visual Studio installed, Use your favourite compression tool to extract the Lync SDK download
Follow the bouncing ball and install the SDK’s
Depending on your installation you may need to update the powershell module path in the script, mine was located at
C:\Program Files (x86)\Microsoft Office 2013\LyncSDK\Assemblies\Desktop
Dont forget to change the URL to a good old Rick-roll (Sorry Chris)
and Run the script.
The user will have just had a rick-roll pop up on their screen without needing to do anything at all.
Not so harmful is it? Now consider that you can direct the user to any webpage that auto installs CryptoLocker and you see why its such a pain.
The fix is simple, make sure your clients are running better than version: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or you keep upto date by using the Office365 Click to Run client.