What is it?
An attacker can force a user who is logged in with Microsoft Lync for Mac 2011 (< v14.4.3) to browse to a URL of their choice via a specially crafted instant message. This vulnerability exists due to poor input sanitation in the processing of message content submitted via PowerShell and the Lync 2013 SDK.
Jan 19, 2016 Outlook 2016 for Mac unresponsive with Lync open OSX Version: 10.10.5. And Lync for Mac is direct download install from the company. About “i am unable to confirm with another mac as I need to be on vpn for the issue to occur”, do you mean you use VPN to connect to the Internet and the issue only occur to the VPN environment.
No user interaction is required, and the URL will open in whatever the default system browser is set to. If the URL is a link to a file, the browser will behave as though the URL was clicked. If the filetype of the URL target is a known ‘safe’ type, then it will automatically start downloading.
This vulnerability is particularly dangerous if Microsoft Federation is configured to be open, which allows users to receive messages from any Skype for Business user.
This issue is very similar to the input sanitation problem that I found last year in the Windows Skype for Business client (https://www.exploit-db.com/exploits/42316/). In fact, the PowerShell framework is, all the same, only the payload has been modified to hold an <iframe> instead of a <script> block.
The Code
This exploit is extremely simple. It is the result of a failure to sanitize input that is taken in via the Lync 2013 PowerShell SDK. I used ‘PowerSkype’ by Karl Fosaaen of NetSPI as a base (https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1).
To begin with, I experimented with sending <b> or <i> tags to style the text. This successfully modified the message formatting, so I then extended testing to other HTML tags. While <script> tags were blocked, and various other JavaScript injections failed, I discovered that an <iframe> tag would spawn a browser session to the target URL.
A slightly less-useful trick is to embed an image directly into the chat by sending <img> tags:
Disclosure Timeline and Microsoft’s Response
I reported this to Microsoft in July 2017 and the MSRC opened a ticket.
The Microsoft Security Advisory can be found here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8474
I’m not completely surprised by their decision not to fix the problem. Lync: Mac 2011 is an aging client, with two product replacements out for it already (Skype for Business, and the new Microsoft Teams). Plus, it’s the Mac client, so the install base is likely on the smaller side.
With that being said, if they don’t want to fix it, Microsoft should stop recommending it and remove it from their downloads page. If you go to the Skype for Business 2016 Mac client download page you see that they recommend using the Lync 2011 client when connecting to Lync Server 2010.
To test the vulnerability, you will need an attacking machine (a Windows host that can run PowerShell), and a target machine (a Mac with the Lync Mac 2011 client running).
The Setup – Target Machine
This is easy – simply download the Microsoft Lync: Mac 2011 client, open it, and sign in.
The Setup – Attacking Machine
First, you’ll want to set up the Lync 2013 PowerShell SDK. Karl Fosaaen over at NetSPI has a great write-up on getting this started, and I recommend you follow the steps in his post here:
https://blog.netspi.com/attacking-federated-skype-powershell/
Once you have the Lync 2013 SDK installed, go ahead and grab the CVE-2018-8474 PoC script here.
In order to run it we just need to make one change to the PoC script. Change the $target variable to point at the user you are targeting.
Now, navigate to the location of the PowerShell script and run it.
Microsoft Lync 2010 Download For Mac
You should see a prompt appear on the target machine, and the URL should open in a new browser window!
Recommendations
What can you do? First, make sure that if your organization uses Macs, that they are held to the same standard for vulnerability management. Especially in big Windows shops, where the only Macs might be a handful in the graphic design department, it’s easy for non-standard machines to fall through the cracks when it comes to patching and managing software.
Second, please please please restrict your Microsoft Federation settings. While the default is to have it enabled, it’s a simple matter to fix by visiting the O365 Settings and whitelisting only the organizations that you wish to communicate with.
Reflection
Forced browsing isn’t a great exploit on its own. However, paired with a browser or file format exploit, and the forced browsing becomes a terrific payload delivery method. At highest risk are those organizations that have Microsoft’s Federation enabled, allowing external entities to communicate with their users via Skype/Lync.
https://dvcdvhv.weebly.com/blog/winzip-dmg. A forced browsing exploit + browser or file-format exploit + open federation = super spear-phishing. Get easy shells on high-value targets and the user doesn’t even have to click.
In the above scenario, against a user at an organization with open federation, an attacker could wait for their target to log in and force them to browse to a URL of their choosing. Since no user-interaction is required, the likelihood of execution is high.
It’s interesting that both the Windows and Mac clients have had issues with input sanitation, despite the products being run by different teams. It shows that the classic Top 10 OWASP finding — input sanitation — is still a problem for developers in shops of all sizes.
-->
Introduction
This article contains information about how to troubleshoot Lync for Mac issues in Skype for Business Online (formerly Lync Online). It also discusses how to sign in to Skype for Business Online by using Lync for Mac and how to collect log files and system information for Lync for Mac issues.
ProcedureBefore you troubleshoot
First, make sure that users follow the correct steps when they sign in to Skype for Business Online. If users are signing in to Skype for Business Online correctly and the issue persists, use one or more of the other methods later in this article to troubleshoot the issue, as appropriate for your situation.
Note
To connect Lync for Mac 2011 to Skype for Business Online in Office 365, you must have Lync for Mac version 14.0.6 or a later version installed. If you use a version that's earlier than version 14.0.6, you may have problems when you sign in to Skype for Business Online because earlier versions have issues that prevent authentication to Skype for Business Online. You can find the latest update at Update for Lync for Mac 2011.
Make sure that users follow the correct steps when they sign in to Skype for Business Online
To sign in to Skype for Business Online by using Lync for Mac, users should follow these steps:
If you still can't sign in
The following table describes error messages that may occur when users sign in or use Lync for Mac with Skype for Business Online.
Troubleshoot Lync for Mac issues
Use one or more of the following methods, as appropriate for your situation.
Users may be unable to sign in unless they first use an incorrect sign-in address
Download Lync Web App For MacIf Lync for Mac stops working after an Internet connectivity issue, flush the DNS cache
To flush the DNS cache, do one of the following, depending on the version of Mac OS that you're running:
Clear cached data and corrupted certificates in Lync
First, delete the following folders:
Then, delete any corrupted or cached certificates. To do this, follow these steps:
Important
![]()
Before you perform the next step, try reproduce the issue by using a new test user account. If the issue doesn't repeat in the new account, then follow these steps:
Federated users synchronized from on-premises Active Directory Domain Services can't sign in by using a password that's longer than 16 characters
Organizations that have on-premises customer password policies may allow for passwords to exceed 16 characters. By default, the password policy in Office 365 restricts passwords to 16 characters or less. Because of the Windows Challenge/Response (NTLM) authentication mechanism in the Mac OS, passwords that are longer than 16 characters aren't recognized correctly, and this causes sign-in to fail.
To work around this issue, the user should change his or her password to be 16 characters or less.
Lync for Mac crashes and the user receives an EXC_BAD_ACCESS error
This error message usually occurs when Lync for Mac tries to integrate or schedule meetings with an Exchange mailbox that isn't hosted in Exchange Online. This scenario isn't supported in Skype for Business Online. For the best experience, you should use both Skype for Business Online and Exchange Online. However, if that isn't an option, follow these steps as a potential workaround:
Collect log files and system information for Lync for Mac issues
To collect log files and system information for Lync for Mac issues, follow these steps:
Download Lync For Mac 2011
Uninstall and reinstall Lync for Mac 2011
If the steps in this article don't resolve the issue, try to do a clean uninstallation of Lync for Mac 2011, and then reinstall the application. For more information about how to do a clean uninstallation of Lync for Mac 2011, see How to do a clean uninstallation of Lync for Mac 2011.
More Information
If you're using third-party virtualization software for the Mac, it can coincide with various performance-related issues including but not limited to slow desktop sharing, unexpected poor media quality, possible sign-in and Exchange integration issues. In order to continue, Microsoft technical support may have to confirm that the issue occurs on a computer where the third-party virtualization software isn’t present.
The dmg group. Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Still need help? Go to Microsoft Community.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |