Full Report
When performing spear phishing attacks, the more information you have at your disposal, the better. One tactic we thought useful was this Skype security flaw disclosed in the early days of 2012 (discovered by one of the Skype engineers much earlier). For those who haven’t heard of it – this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an ‘Add Contact’ form.
Analysis Summary
# Vulnerability: Skype Passive IP Disclosure via VCard Viewing
## CVE Details
- CVE ID: Not explicitly provided in the text. **(Note: Often associated with older Skype vulnerabilities, specific CVE is missing.)**
- CVSS Score: Not provided in the text.
- CWE: Analysis suggests information leakage, potentially related to improper logging or context-sensitive data exposure.
## Affected Systems
- Products: Skype Client
- Versions: Specific versions are not detailed for the vulnerability itself, but the article mentions retrieving a patch for **Skype 5.5**. This strongly implies versions prior to the fix were susceptible.
- Configurations: Occurs when viewing a contact's VCard within the 'Add Contact' workflow after enabling specific debug logging.
## Vulnerability Description
This vulnerability allows an attacker to passively disclose the victim's external and internal IP addresses by manipulating the Skype client into saving detailed logs. By adding or viewing a contact's VCard through the 'Add Contact' form while debug logging is enabled, the resulting debug log file captures sensitive network information associated with the user's presence or connection status, including their IP addresses.
## Exploitation
- Status: PoC available (The article describes the exact steps needed to reproduce the log leakage.)
- Complexity: Low (Involves registry modification and simple in-application actions.)
- Attack Vector: Network (Requires interaction with the targeted Skype application.)
## Impact
- Confidentiality: High (Exposes internal and external network topology information.)
- Integrity: Low (The primary impact is disclosure, not modification.)
- Availability: Low (No impact on service availability.)
## Remediation
### Patches
- The article references downloading a **patched version of Skype 5.5** (linked here: `http://cloud.github.com/downloads/skypeopensource/skypeopensource/skype55.zip`). This patch reportedly enabled the client to save logs in a non-obfuscated form, suggesting that the vendor-supplied patch would normalize or fix the logging behavior to prevent IP leakage.
### Workarounds
1. **Disable Debug Logging:** The core of the required exploitation relies on setting registry keys to enable detailed logging (`"Logging"="SkypeDebug2003"`, `"Logging2"="on"`). Removing or ensuring these keys are not set to debug values should prevent the passive IP leakage.
2. **Avoid VCard Viewing:** Do not interact with the 'Add Contact' functionality to view VCards if debug logging is suspected to be active.
## Detection
- Indicators of Compromise (IOC): Presence of unusually large or detailed Skype debug log files, particularly those containing lines mentioning `PresenceManager` alongside recognizable IP address formats (both private and public).
- Detection Methods and Tools: Endpoint security monitoring focused on anomalous file creation (debug logs) in the Skype executable directory or scanning the Windows Registry for non-default Skype logging key values under `HKEY_CURRENT_USER\Software\Skype\Phone\UI\General`.
## References
- Vendor Advisories: None explicitly cited as an official general advisory for this specific disclosure, though the article references an earlier 2012 disclosure.
- Relevant Links: SensePost Article (`https://sensepost.com/blog/`)