Skype URI handler file access

skype-uri-handler-file-access (26557)

Medium Risk

Description:

Skype is a VoIP application for making phone calls over the Internet. Skype running on Microsoft Windows operating systems could allow a remote attacker access to an arbitrary file caused by a vulnerability in the URI handler. If a remote attacker was provided a link for downloading a file from the target victim, the remote attacker could modify the URI link to download an arbitrary file from the victim's system. The Skype file transfer dialogue box will appear when the malicious URI link is clicked.

Platforms Affected:

• Skype, Skype for Windows 2.0.x.104 and prior
• Skype, Skype for Windows 2.5.x.0 - 2.5.x.78

Remedy:

Apply the patch for this vulnerability, as listed in the SKYPE SECURITY BULLETIN SKYPE-SB/2006-001. See References.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Sun May 21 2006 - 18:44:20 CDT, Skype - URI Handler Command Switch Parsing at http://archives.neohapsis.com/archives/bugtraq/2006-05/0424.html.
• SKYPE SECURITY BULLETIN SKYPE-SB/2006-001, Improper handling of URI arguments at http://www.skype.com/security/SKYPE-SB-2006-001.txt.
• Skype Web site, Skype - The whole world can talk for free. at http://www.skype.com/.
• BID-18038: Skype Technologies Skype URI Handling Remote File Download Vulnerability
• CVE-2006-2312: Argument injection vulnerability in the URI handler in Skype 2.0.*.104 and 2.5.*.0 through 2.5.*.78 for Windows allows remote authorized attackers to download arbitrary files via a URL that contains certain command-line switches.
• OSVDB ID: 25658: Skype URL Handling Arbitrary File Disclosure
• SA20154: Skype URL Handling File Disclosure Vulnerability
• US-CERT VU#466428: Skype URI handler fails to properly parse parameters
• VUPEN/ADV-2006-1871: Skype for Windows Remote URL Handling Arbitrary File Transfer Vulnerability

Reported:

May 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2009 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page