Mac OS X Skype 0day Remote Code Execution Vulnerability [Updated]
A fairly significant 0day vulnerability is being reported in the Skype client (< 5.1.0.922) for Mac OS X. By sending a specially-crafted instant message, an attacker may be able to remotely execute code on the recipient’s computer and gain access to a root shell. This issue has been discovered (by accident it seems) by Gordon Maddern of Australian security consultancy Pure Hacking.
“About a month ago I was chatting on skype to a collegue about a payload for one of our clients. Completely by accident, my payload executed in my collegues skype client. I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. […] Low and behold (sic) I was able to remotely gain a shell.”
It is believed that due to the relative simplicity in the delivery of the payload, it may be possible for this attack to be automated in the form of a worm. Skype are aware of this issue, but have yet to release a patch (see below). Mac users should be extra careful until a patch is made available, and in the short term I recommend quitting Skype when not using it, or at least checking that your Skype client is set to only allow messages from your contacts (Skype > Preferences > Privacy Tab > Allow Messages From: Contacts).
No further details or proof-of-concept of the vulnerability are available as of yet, although I’d be interested to see it… time to start pasting random Metasploit payloads into Skype! ;)
[Updated 8/5/2011] Skype addressed this vulnerability in version 5.1.0.922 of the Mac OS X client. Run the updater by going to the Skype menu > Check for Updates, or download the latest version here.
Full disclosure of the vulnerability is now available here. In short, the issue was a persistent XSS that could be used to redirect the user to a malicious website. Here’s the PoC attack string:
http://www.example.com/?foo=”><script>document.location=’http://10.11.1.225′;</script>
iPhones Make Automatic Skype Calls
A researcher has found that iPhones can be duped into making Skype calls without first prompting the user. This is due to the way that iOS handles URL Schemes, which are used by applications to launch other applications. Just like http:// tells safari to open the specified website, tel:// informs the phone app to call the specified number. For the key built-in calls, such as tel://, the user is prompted to make sure the action is intended.
Some applications define their own URL Schemes, and Skype is one such app. However these third party apps do not ask for permission before performing actions defined by that URL. This potentially allows websites to track iPhone users (via the Mobile Safari User Agent), and then embed an invisible iframe that forces Skype to open (if installed) and call the number.
<iframe src=”skype://1900expensivepremiumnumber?call”></iframe>
This is just one example of how this can be abused, and there are many other apps which may define their own URL Schemes.
There are two ways this should probably be fixed. Apple should prompt the user before switching to the app specified by the URL Scheme. So in the case of the iframe above, iOS would pop up a warning saying: “This website wants to open Skype”, and the user could click on Ok/Cancel. Secondly, but in some ways more urgent, third party app developers should prompt the user before performing actions based on a URL.
Loading ...
