Recently, we have came across news about a SKYPE 0 DAY that results in remote exploitation on MAC OS. We had also discovered the same pattern of vulnerability in Skype two months ago.
Due to testing reasons, we were not indulged in the process of reporting it to vendor because we were looking at the malware paradigm related to this vulnerability (whether it can be exploited to download malware in MAC OSX).
Firstly, we are not sure whether the researchers are talking about the same vulnerability. This is because we have seen the news but the vulnerability details are missing everywhere.
So our team thought to take a step in this direction. We are presenting the details of the vulnerability that we discovered in Skype running over MAC OS.
Skype fails to instantiate between the payloads that are sent as hyperlinks in the chat window. Only the legitimate users in the client list of the victim can exploit it. The attacker only requires a definitive payload to exploit this issue. Basically, we call it as a Skype Remote Scripting (Injection).
In order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: an attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truths prevail as follows:
1. If an attacker sends a remote script payload as [script]alert(document.location);[script];Skype filters this injection on chat engine which is quite normal. We have used square brackets (for representation) but for real injections one has to use angle brackets as XSS payloads.
2. Skype (MAC OS) fails to filter the injection in which payload is sent as a part of third part vulnerable website hyperlink as follows:
A = http://www.vulnerablewebsite.com/index.php?url=
B = [script]alert(document.location);[script]
Skype fails to treat it as one hyperlink as (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.
3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.
4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through Skype. One can also trigger Safari automatically using DOM calls such as "window.open".
5. This vulnerability does not require any user interaction and runs payload directly. One has to be careful because it can execute content in both chat windows if an attacker and victim is using Skype (MAC OS). Attacker can use Skype on Windows and Linux in order to execute this attack.
Some of the POC's are presented in the below mentioned snapshots which supports the execution of this vulnerability.