Exploiting Lync for iOS to gather OSINT and force join conference calls.

Based on our research reported about url-handlers on FaceTime and Messages, here comes the “Enterprise version”. Hacking MSFT through iOS to steal Contact Cards and forcing people to join meetings, has its beauty ☺

Background

As we will be discussing on this and other posts — all part of some social engineering research being done in Section9Labs for our newly released Cartero Framework — we have found several interesting issues and attack vectors abusing url-handlers and iOS applications. When we got to check “enterprise” applications on my iPhone app list, I was already high on url-handers and for each application installed, I had the need to decrypt and throw it into IDA to understand how the exposed url scheme worked and what could be done with them.

Office 365 application family

In the case of Microsoft Lync 2013 for iOS there was no documentation that could be easily found through some quick Google searches and searching in some forums, so the only way was to reverse engineer the app and see what was there.

A quick check on the plist file confirmed what we had found through quick and dirty try/fail attempts, the url handlers supported were lync:// and sip://.

Now, it was time to determine what exactly could be done with lync://. Searching on the internet produced no useful information. A more technical approach was required, and a few minutes later we had the binary in IDA Pro, simple analysis was performed and a quick search for strings lead us to the following method:

CMJoinMeetingDataManager + (char)handleOpenURL: (id)

IDA Pro flow showing what the method in question

This method told us that the lync url-handler was using the confjoin path which in addition took a url parameter — most surely a URL for the online meeting provided by Lync conference calls.

With help of a friend we quickly realized, by experimentation and testing, that the url passed would be the Lync Server conference room URI. In the case of office365 they would look like:

lync://confjoin?url=https://meet.lync.com/company/test/XXXXXX

where company would be the name of the domain or company name, test the username and XXXX the unique ID for that conference call. It was time to see if we could exploit this in the same way we exploited Chrome, Safari and FaceTime ( video and audio calls ).

Attack — Proof of Concept

Let us discuss how we can exploit this and what is necessary to do so.

Setting up the attack infrastructure

I gotta say it is a little ironic to use office 365 owns free trials to attack this, but hey why not, it is free, cloud and I have no need to host anything. Besides a burner phone an attacker does not need to leave anything.

Office 365 Small Business trial no Credit Card needed

Meeting set by malicious account.

Anyhow, after a few simple clicks and steps we had a free trial office365 account without any credit card or complicated setup. All it was needed was a non-voip SMS line to receive a confirmation code — burner phones anyone ?

Once we had the account running, we found that without even having to configure a proper domain, users or emails servers we had a working office 365 account capable of reaching calendar and lync account — This was done by completing step one of the email setup clicking on the first step and saving to continue later ☺

Right after that, Calendar tab was enable and an arbitrary meeting was setup and we were able to create an online meeting for which a link was provided to use and abuse, as it is shown on the screenshot below:

Ishikawa attacker starts web Lync Interface

Note: It is important to notice that this information leak can be mitigated by Office 365 Administrators to only be susceptible to internal meetings only; if they uncheck the default External Communication option, under IM, Meeting and conferencing, but sadly by default, most surely to provide a better office365 experience, it comes ON by default — great for social engineers bad for enterprise customers.

External communication default setting

It is worth nothing that we did not tested this on self-hosted Lync servers, and we assume the vulnerability will still be present, but we guess it will require users domains to be federated. Nevertheless, this limitation could potentially be bypassed by reusing an old valid meeting ID, among other things.

Victim Jon Doe from lyncl33t.com domain

Payload

Once we had a full url, all we needed was to craft our malicious automated url-handler site ( http://evilrovot.com/lync.com) that will trigger the vulnerability when visited the site — worth noting this could be easily exploited with a XSS vulnerability and/or by controlling the content of a site in some other way.

lync.html

proof of concept exploited based on previous research by @neculaesei

A quick Message with the url, and after we clicked the application Lync was launched and the application automatically joined the conference without any confirmation or interaction. w00t !

Now, what else could we obtain this is an enterprise MSFT product there has to be some other interesting piece of data available to us besides being able to force someone into calling into an arbitrary conference call.

Bingo, there is a participants tab that shows all of the participants that have joined the meeting and the mobile application actually even keeps their contact cards with all of their information for history records. OSINT treasure found and then some more … :-)

In any case, the attacker could be using the Web meeting page or he could be using the mobile app as well. It is important to notice that the Lync app allows you to keep records of all your calls and information. So you can browse the calls you maliciously created and then go to Participants and obtain the information:

List of participants

If you click in one of the participants, i.e. office 365 office fake person:

Fake Persona using Office 365 default configurations

Last, but not least, we decided to do a real example call to see if our assumptions were correct using real people:

Conference Call with Travis

The information leak depends a lot on the information the person — or organization— is sharing by default, but the fact that any attacker can force any office 365 Lync user to join a call by just visiting a website resulting in not only listen in what the victims are saying for a moment, but also obtain the contact information from the victim to completely identify who he/she is. It does raises a very significant information leak.

Now, it is worth noting that the actual vulnerability or “abuse of features” exists on the fact that the mobile and other applications do not prompt the user before joining a meeting, if a correct prompt screen would pop-up before the meeting joins this will be easily prevented.

Final Thoughts

This vulnerability at first might not seem important, but any crafty social engineer targeting a specific company that users office 365 or Microsoft technology stack could use this vulnerability to compromised by means of creating a malicious office365 account and easily steal user information among other things without almost any human interaction. In any case, a very interesting way to perform OSINT. ☺

Special Thanks to Travis Morrow @wired33 for all the help while researching and testing the vulnerability. You are a good friend and hacker.

Sympathy for evil, the nature of our game.

Timeline

9/16/14 — Issue was reported to Microsoft

9/17 /14— Issue assigned internal case 20384

9/23 /14— Update provided — Still researching issue

10/6/14 —More information and details requested by Microsoft

10/6/14 — Detailed information provided, including a yet more detailed step-by-step Proof of Concept

10/13,20,24..etc/14 — Update requested with no answer.

12/15/14 — Email sent to Microsoft with notice of 90 days.

12/31/14 — No update provided. Issue will be made public due to lack of fixing and response from team.

1/2/2015 — Section9Labs makes issue public.