- Home
- About us
- Products & Services
- Blog
- News
- Contact
- Client Portal
Banner Inner (Blog)
Skype 0day vulnerabilitiy discovered by Pure Hacking
Fri, 06/05/2011 - 15:26 — Gordon Maddern
About a month ago I was chatting on skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues skype client.
I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.
At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.
So after a lot of trouble trying to find the right person in skype to notify, I was able to get the correct details for the security team in skype. I notified them on the security vulnerabilitity and I was given the standard:
"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"
That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Pure Hacking wont give specifics on how to perform this attack untill a patch from skype is released. However we will give a full disclosure after skype takes action or a reasonable responsible disclosure time.
UPDATE: 09/05/2011 We can confirm that skype has fixed this issue in 5.1.0.922. It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.
UPDATE 2: 12/05/2011 A few other sites are disclosing the issue. It looks like we were not the only ones to discover this. Its essentially the same problem of failure to sanitize input before its rendered. To answer a few questions in bulk:
I have not had time to test 2.8 but I will fire up a mac vm when I get some time
There are numerous ways to exploit this vulnerability i.e malware, DOM manipulation, CSRF, msf payloads etc. However it all stems from one basic problem that I was suprised skype overlooked.
girish gulawani 05/12/11 17:33
skype is pushing 5.1.0.935 update now.
Anonymous 05/11/11 18:41
my Skype has been crashing a lot - especially when placing calls. I would get a crash trace. Sometimes I would crash just after booting it up. I'm downloading. Skype_5.1.60.947.dmg right now. IS this the patched one?
Gordon Maddern 05/11/11 23:45
Anything past 5.1.60.922 is patched
Anonymous 05/11/11 08:15
Please please please tell us about 2.8.x. Version 5 is really horrible and a *lot* of people will choose to stay with 2.8 if that's possible.
Boz 05/10/11 09:49
Hi Gordon, nice find... We should catch up for beers soon.
seonickname 05/09/11 22:22
Хороший пост, пожалуй ретвитну)))
Gordon Maddern 05/11/11 23:46
Спасибо
charles ryder 05/09/11 20:06
i know you're a busy man, but there will be a lot of grateful people if you can let us know about the situation with version 2.8.
oldIsBetter 05/09/11 16:58
Could you confirm if 2.8 is affected as well?
Would hate to have to update to a worse user interface =(
Keep up the good work with helping us being safer!
Olaf Marzocchi 05/09/11 09:37
Hello, what about the old version?
http://mac.oldapps.com/skype.php?old_skype=37
Anonymous 05/09/11 08:21
First go for ZDI always. You can earn money legitimately.
Gordon Maddern 05/11/11 23:47
We are not interested in money. We are interested in making the community safer
Pike 05/09/11 05:56
Being a skype on mac user, I am really looking forward to more info. Since the patch has already been released by skype, when can the public get more details about the issue? This has really gotten my curiosity :D. Maybe this might give a little peek into the internals of skype, which is otherwise inaccessible (encrypted)
-Pike
Gordon Maddern 05/09/11 07:29
The patch is available via a manual update which most people dont know to do. Once skype pushes the automatic update we will give more details.
Gray 05/09/11 22:29
No one has said where the manual update is available from? If it is so bad why are Skype taking so long to put an update out.
th3phantom 05/09/11 04:21
its time to post the details dude.
mike 05/08/11 23:50
how do I know if I am infected by a worm, coming thru this issue? Is there a way to check this. I got a strange msg, from an unknown person (spam) to my Skype account recently...
thanks for a feedback
Gordon Maddern 05/09/11 07:30
As far as we are aware it is not being exploited in the wild although I have seen other pages talking about the issue. I am sure we are not the only ones to find this. Perhaps just the first to report on it and try and get a fix pushed out.
Anonymous 05/08/11 22:10
What versions of Skype for Mac are affected?
Anonymous 05/08/11 17:05
Anyone tried that exploit against 2.8 Version?
andi 05/08/11 13:33
if you want some protection without waiting for skype, do this
https://github.com/pansen/macos-sandbox-profiles
i created some sandbox file for that
cheers, andi
Anonymous 05/08/11 10:09
Well, even if you don't give a full disclosure, a workaround would be appreciated by most users who care about security.
Gordon Maddern 05/09/11 07:32
If you do a manuall update now you will get the fix. However we wont be releasing any info till the majority of users are safe when Skype decides to push the patch out next week.
Alexey 05/07/11 20:03
Skype for Mac #security issue patched in v 5.1.0.922, pushed next week. Manual update for now.
Gordon Maddern 05/08/11 08:31
This is correct. Currently not fixed unless you manualy updates with that patch
user ;) 05/07/11 19:38
Does this venerability applies to iOS also ?
Gordon Maddern 05/08/11 08:32
Not sure but you got me thinking. I will have to find out.
Gordon Maddern 05/09/11 07:32
I can confirm that it doesn't affect IOS version 3.1
Anonymous 05/07/11 18:46
My skype name is zopayaso ;)
WILD WILLIAM 05/07/11 18:45
I WAS SO EXCITIED ABOUT SKYPE THAT I WAS READY TO DO IT WITH ALL MY FAMILEY --BUT!! AFTER LEARNING ABOUT THIS HACKING STUFF I'M NOT SO SURE NOW.......
Post new comment