Saturday, May 7, 2011

Skype IM (MAC OS X) - Is this the 0day ?


Recently, we have came across about the news on SKYPE 0 DAY that results in remote exploitation on MAC OS. However, we have also discovered the same pattern of vulnerability in Skype two months ago. Due to testing reasons, we were not indulged in the process of reporting it to vendor because we were looking at the malware paradigm related to this vulnerability(whether it can be exploited to download malware in MAC OSX).


Firstly, we are not sure whether the researchers are talking about the same vulnerability.
This is because we have seen the news but the vulnerability details are missing everywhere. So our team thought to take a step in this direction. We are presenting the details of the vulnerability that we discovered in Skype running over MAC OS.

Discussion:
JavaScript is used extensively in all web related platforms. Skype application on MAC OS uses JavaScript too (most of the chatting client uses that, so not a big deal). This vulnerability does not impact the Skype running over windows and Linux. Skype fails to instantiate between the payloads that are sent as hyperlinks in the chat window. Only the legitimate users in the client list of victim can exploit it. The attacker only requires a definitive payload to exploit this issue. Basically, we call it as a Skype Remote Scripting (Injection).

Working:
In order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truth prevails as follows

1. If an attacker sends a remote script payload as [script]alert(document.location);[script];skype filters this injection on chat engine which is quite normal. We have used square brackets (for representation) but for real injections one has to use angle brackets as XSS payloads.

2. Skype(MAC OS) fails to filter the injection in which payload is sent as a part of third part vulnerable website hyperlink as follows
http://www.vulnerablewebsite.com/index.php?url=[script]alert(document.location);[script]

A = http://www.vulnerablewebsite.com/index.php?url=
B = [script]alert(document.location);[script]


Skype fails to treat it as one hyperlink as (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.


3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.

4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through skype. One can also trigger Safari automatically using DOM calls such as "window.open".

5. This vulnerability does not require any user interaction and runs payload directly. One has to be careful because it can execute content in both chat windows if an attacker and victim is using Skype (MAC OS). Attacker can use Skype on Windows and Linux in order to execute this attack.

Some of the POC's are presented in the below mentioned snapshots which supports the execution of this vulnerability.

Injection 1:



Injection 2:


Injection3:


This is really devastating from security point of view. All the versions before 5.1.0.922 are vulnerable. However, we still think the variation of this type of issues are possible and vulnerable versions can be exploited differently. Since it is executing scripts , we can say that this vulnerability can be used in worm infections.

Is this the 0day Skype Bug? Let see what the other researchers release.