Skype IM (MAC OS X) - Is This The Zero-Day ?

Sunday, May 08, 2011

Rohit Bansal

7bfe168f64fb31f08811347a43204d8e

Recently, we have came across news about a SKYPE 0 DAY that results in remote exploitation on MAC OS. We had also discovered the same pattern of vulnerability in Skype two months ago.

Due to testing reasons, we were not indulged in the process of reporting it to vendor because we were looking at the malware paradigm related to this vulnerability (whether it can be exploited to download malware in MAC OSX).

Firstly, we are not sure whether the researchers are talking about the same vulnerability.
This is because we have seen the news but the vulnerability details are missing everywhere.

So our team thought to take a step in this direction. We are presenting the details of the vulnerability that we discovered in Skype running over MAC OS.

Discussion:

JavaScript is used extensively in all web related platforms. Skype application on MAC OS uses JavaScript too (most of the chatting client uses that, so not a big deal). This vulnerability does not impact the Skype running over windows and Linux.

Skype fails to instantiate between the payloads that are sent as hyperlinks in the chat window. Only the legitimate users in the client list of the victim can exploit it. The attacker only requires a definitive payload to exploit this issue. Basically, we call it as a Skype Remote Scripting (Injection).

Working:

In order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: an attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truths prevail as follows:

1. If an attacker sends a remote script payload as [script]alert(document.location);[script];Skype filters this injection on chat engine which is quite normal. We have used square brackets (for representation) but for real injections one has to use angle brackets as XSS payloads.

2. Skype (MAC OS) fails to filter the injection in which payload is sent as a part of third part vulnerable website hyperlink as follows:

http://www.vulnerablewebsite.com/index.php?url=[script]alert(document.location);[script]

A = http://www.vulnerablewebsite.com/index.php?url=
B = [script]alert(document.location);[script]


Skype fails to treat it as one hyperlink as (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.


3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.

4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through Skype. One can also trigger Safari automatically using DOM calls such as "window.open".

5. This vulnerability does not require any user interaction and runs payload directly. One has to be careful because it can execute content in both chat windows if an attacker and victim is using Skype (MAC OS). Attacker can use Skype on Windows and Linux in order to execute this attack.

Some of the POC's are presented in the below mentioned snapshots which supports the execution of this vulnerability.

More Information:

http://secniche.blogspot.com/2011/05/skype-im-mac-os-x-is-this-0day.html

Possibly Related Articles:
5794
Vulnerabilities
Information Security
Zero Day malware Skype Exploits Mac OS X Skype Remote Scripting Injection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.