Skype for business is also vulnerable to the autodiscovery issue

An issue in WPAD proxy automatic configuration was first discovered by Maxim Andreev back in 2015 at the MailRu group security meet-up and then was presented by Maxim Goncharov at BlackHat US 2016 (slides).

This year Ilya Nesterov and Maxim Goncharov presented a continuation of this research and extend the coverage to MS Exchange email clients at BlackHat Asia 2017 (paper, slides).

I really liked all of the above discoveries and I looked a little in the same direction for other protocols with the same mechanisms. The Lync/Skype for business service was the one of it. Please find the results of this study below.

To understand Lync autodiscovery I highly recommend to read these two articles:

To check how many clients are vulnerable to this issue I just registered following domains:

And then started an Nginx to listen what would happen… And the traffic went! It’s about 3168 requests from Jun 19 to Jun 24.

Image for post
Image for post

Please the list of vulnerable clients (from User-Agent header):

I sent all the detail to MFST at Jul 14 2017 (MSRC Case 39311 TRK:0461001598) and received back the answer that it’s not an issue.

Based on the team’s analysis of the code and the log you provided, it appears that you are seeing these requests due to the usernames being entered incorrectly. The logins consist of only a username and a TLD (biz, org, info, etc.) with no domain specified. This is not a vulnerability, as user input cannot be controlled to ensure that a valid domain is entered in the request. The one domain that does appear in the log you provided has a misconfigured DNS entry which is why you are seeing the requests.

The End! But I’m still not sure that it’s just a users’ mistypes because of the big number of requests.

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store