How bad is the CVE-2017-8550 XSS exploit for Skype4B?

By | July 17, 2017

So for those of you who don’t have your ear on the #skype4B hash tag on twitter (and you should) nyxgeek released and exploit for the Skype4B client (and possibly Lync, I haven’t tested yet) that exploits XSS to allow for remote website execution without user interaction

On the surface that sounds quite simple, but compacted with some other exploits this could be used to quickly infect an otherwise protected machine.

This is a dangerous exploit as Skype4B bypasses any mail filtering and therefore any URL parsing the mail filter your organisation has, enabling you to send the user to a drive by download website and infect them with something like Cryptolocker.

 

The steps to recreate this are quite simple

Download the Lync 2013 SDK 

If you’re using the Skype for Business 2016 client. Use the following registry entry to trick the SDK to install

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\Lync]
"InstallationDirectory"=""

If you dont have Visual Studio installed, Use your favourite compression tool to extract the Lync SDK download

 

Follow the bouncing ball and install the SDK’s

 

 

 

Depending on your installation you may need to update the powershell module path in the script, mine was located at

C:\Program Files (x86)\Microsoft Office 2013\LyncSDK\Assemblies\Desktop

Dont forget to change the URL to a good old Rick-roll (Sorry Chris)

https://www.youtube.com/watch?v=oHg5SJYRHA0

 

and Run the script.

The user will have just had a rick-roll pop up on their screen without needing to do anything at all.

Not so harmful is it? Now consider that you can direct the user to any webpage that auto installs CryptoLocker and you see why its such a pain.

The fix is simple, make sure your clients are running better than version: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or you keep upto date by using the Office365 Click to Run client.

 

One thought on “How bad is the CVE-2017-8550 XSS exploit for Skype4B?

  1. Dan

    16.0.7830.1018 applies to the click-to-run version only. Is the MSI version not affected or is there no fix yet?

    Reply

Leave a Reply