- Home
- About us
- Products & Services
- Blog
- News
- Contact
- Client Portal
Banner Inner (Blog)
Skype 0day vulnerabilitiy discovered by Pure Hacking
Fri, 06/05/2011 - 15:26 — Gordon Maddern
About a month ago I was chatting on skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues skype client.
I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.
At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.
So after a lot of trouble trying to find the right person in skype to notify, I was able to get the correct details for the security team in skype. I notified them on the security vulnerabilitity and I was given the standard:
"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"
That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Pure Hacking wont give specifics on how to perform this attack untill a patch from skype is released. However we will give a full disclosure after skype takes action or a reasonable responsible disclosure time.
UPDATE: 09/05/2011 We can confirm that skype has fixed this issue in 5.1.0.922. It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.
UPDATE 2: 12/05/2011 A few other sites are disclosing the issue. It looks like we were not the only ones to discover this. Its essentially the same problem of failure to sanitize input before its rendered. To answer a few questions in bulk:
I have not had time to test 2.8 but I will fire up a mac vm when I get some time
There are numerous ways to exploit this vulnerability i.e malware, DOM manipulation, CSRF, msf payloads etc. However it all stems from one basic problem that I was suprised skype overlooked.
Gordon Maddern 05/08/11 08:34
Skype is a still a really good product. I am also happy to see that after our blog post skype will be pushing a patch next week.
Andi Wundsam 05/07/11 12:10
I would be very interested to know if the exploit you describe is also present in the last 2.8 version of the Skype client for Mac (2.8.0.851). Like many others, I have not yet upgraded to version 5 because I am unhappy with the UI redesign. It would be good to know whether it's safe to continue doing so.
Skype claims it will fix the vulnerability in version 5.1.922, but says nothing about 2.8.
Could you test your exploit against a 2.8 client for verification?
Andi Wundsam 05/10/11 08:25
Skype download page for 2.8:
http://www.skype.com/intl/en/get-skype/on-your-computer/macosx/2-8/
Gordon Maddern 05/08/11 08:35
I just need to find an old version. Have you got a URL?
Olaf 05/08/11 22:41
Old versions are found on mac.oldapps.com:
http://mac.oldapps.com/skype.php?old_skype=37
Anonymous 05/08/11 22:08
http://download.skype.com/macosx/Skype_2.8.0.866.dmg
Demian Turner 05/08/11 17:57
Hi Gordon - link to skype 2.8 in this article http://demianturner.com/2011/01/how-to-revert-back-to-previous-version-o...
Olaf 05/08/11 15:28
http://skype.softonic.it/mac
Please check the latest of the 2.8 series, it is used by many people not wanting to get the 5.x branch.
LaC 05/08/11 12:08
You can download 2.8 here: http://www.skype.com/intl/en/get-skype/on-your-computer/macosx/2-8/
Anonymous 05/08/11 11:28
Here is the link to Skype's download page for 2.8. They have reinstated this after the flood of criticism regarding 5.1 UI.
http://www.skype.com/intl/en-us/get-skype/on-your-computer/macosx/2-8
Thank you.
Anonymous 05/07/11 11:25
Does this exploit apply to Skype version 2.8.0.866? Many user refuse to switch to the current 5.1 due to the hideous user interface.
CalperniaUSA 05/07/11 10:47
Most of the blogtalkradio.com shows are done through Skype conferencing with interactive web components such as chat rooms.
Would being logged into these chat rooms to listen to the show create environments for shell access?
Thank you.
Gordon Maddern 05/08/11 08:41
I am not sure how those work as I dont use then. But basicaly you just need to send someone a message.
Mike 05/07/11 10:25
Skype claims this if fixed in the April 14 update, in version 5.1.0.922. Can you confirm this? If confirmed, will you be releasing details?
nora 05/07/11 08:16
Thank you guys. You are my heroes.
SkypeMonkey 05/07/11 00:20
Great find! Truly scary.
Many of us would like to know if this affects 2.8.
As you know, the UI of Skype 5.x is so bad that tons of people have downgraded back to 2.8
Anon 05/06/11 23:14
Already patched guys. Time to update your blog post :P
http://blogs.skype.com/security/2011/05/security_vulnerability_in_mac.html
Gordon Maddern 05/08/11 08:30
"We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 5.1.0.922) on April 14th. As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week."
Did not prompt :) . Almost all users are on 5.1.0.914 which in their head is the latest version.
Chaim Haas 05/06/11 22:49
The vulnerability in question was addressed by Skype in mid-April - see the post on their security blog - http://bit.ly/iFn7Lo.
David Baumgold 05/06/11 22:47
What versions of Skype for Mac are affected?
auto12232 05/06/11 20:47
Check the spelling in headline it is vulnerability. If you spell it wrong no one will believe you. Take out the "i" between the t and y.
Gordon Maddern 05/08/11 08:43
Good spot. I will fix that up when I am in the office.
Mike 05/06/11 20:07
Any word on versions affected, at least? Can you mitigate by unchecking the auto-accept of attachments, even from known contacts?
Gordon Maddern 05/08/11 08:49
Its the latest version. It also has nothing to do with attachments. Its triggered by sending a user a message.
Anonymous 05/06/11 16:37
what version of skype?
Gordon Maddern 05/09/11 07:34
anything less than x.x.922. Although I havent had time to test 2.x version yet
Anonymous 05/06/11 11:48
1 month is enough, release the details!
Gordon Maddern 05/09/11 07:35
This does not help the security community nor your average MAC user.
mg 05/10/11 12:23
It doesn't? At least I could check if I am vulnerable.
Gordon Maddern 05/11/11 23:50
You are vulnerable unless your running 5.x.x.922 or higher.
Post new comment