Lync/Skype4B embedded links exploit

I decided to share this MSitPros blog post to show how can you exploit a Lync/Skype4B rich IM, using embedded links with SMB shares.

As stated by the author, exploiting for the NTLM hash might be less successful from an external attacker (SMB traffic blocking), but a rogue LAN user or a deceiving ‘hotspot provider’/’internet cafe’ might would try this one.

Rich text IM (rich fonts, embedded pictures and links) is a very nice feature of Lync/Skype4B but it is also where the common MS Office security issues are found:

  • MS16-039: Security update for Microsoft Graphics Component: April 12, 2016
  • MS16-097: Security update for Microsoft Graphics Component: August 9, 2016
  • MS15-116: Security update for Microsoft Office to address remote code execution: November 10, 2015

Don’t panic right way if you have a full control/security policies of your LAN users, so that no one can just plug a rogue device (or install the required exploit software on his work PC).
The attacker must be able to reach the user – either he has an internal Lync/Skype4B account (which means he already might have hacked the network), or using Company or Skype federation.
Even if the attacker get the hash, the next step is to use against a server resource to access. An external attacker will have an additional challenge to reach your internal LAN.

Just like using Outlook, be careful when opening links or attachments. Better ways to prevent this:
– block links on IM (at least for federations)
– use only the NTLMv2 or Kerberos authentication protocols (although there are known ways to exploit them the same way)

My keynote is that security is an important topic when planning and deploying Lync/Skype for Business… don’t just go for a plain next>next>ready installation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s