CVE-2017-9948 in Skype
Summary
by MITRE
A stack buffer overflow vulnerability has been discovered in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37, involving MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/18/2024
The vulnerability identified as CVE-2017-9948 represents a critical stack buffer overflow flaw in Microsoft Skype versions 7.2 through 7.36, prior to the release of version 7.37. This security weakness specifically manifests within the MSFTEDIT.DLL component, which is responsible for handling rich text editing functionality in the Skype application. The vulnerability arises from improper input validation and memory management when processing remote RDP clipboard content, creating an exploitable condition that can be leveraged by malicious actors to execute arbitrary code on affected systems.
The technical exploitation of this vulnerability occurs through the manipulation of remote desktop protocol clipboard data that Skype processes within its message box interface. When Skype receives clipboard content from a remote RDP session, the MSFTEDIT.DLL library fails to properly validate the size and content of the incoming data before copying it into a fixed-size stack buffer. This improper bounds checking creates a classic stack buffer overflow condition where maliciously crafted clipboard content can overwrite adjacent memory locations, potentially including return addresses and control flow data. The vulnerability is particularly dangerous because it can be triggered through legitimate RDP clipboard sharing functionality, making it accessible to attackers who have gained access to a victim's RDP session or who can somehow influence clipboard content during remote sessions.
From an operational perspective, this vulnerability presents significant risk to organizations relying on Skype for business communications, particularly those with remote desktop infrastructure in place. The attack vector requires minimal user interaction beyond establishing an RDP session, making it particularly dangerous in enterprise environments where RDP access is commonly granted to legitimate users. Security researchers have classified this issue as a high-severity vulnerability due to its potential for remote code execution and the ease with which it can be exploited through legitimate network protocols. The vulnerability directly impacts the principle of least privilege and can be leveraged to escalate privileges or establish persistent access to compromised systems, making it a target for advanced persistent threat actors.
Organizations should implement immediate mitigations including updating to Skype version 7.37 or later, which contains the necessary patches to address the buffer overflow condition. Network segmentation and access controls should be enforced to limit RDP access to only authorized personnel and systems. Additionally, implementing clipboard monitoring and restriction policies can help prevent malicious clipboard content from being processed by Skype applications. The vulnerability aligns with CWE-121 Stack-based Buffer Overflow, which is categorized under the broader category of CWE-119 Improper Access of Resource Using Buffer. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1071 Application Layer Protocol, as it enables command execution through legitimate application interfaces and network protocols. Organizations should also consider implementing application whitelisting policies to prevent execution of untrusted clipboard content and maintain regular security assessments to identify similar vulnerabilities in other applications that handle external input through similar mechanisms.