About a month ago I was chatting on skype to a colleague about a payload for one of our clients. Completely by accident, my payload executed in my colleagues skype client.
I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.
At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.
So after a lot of trouble trying to find the right person in skype to notify, I was able to get the correct details for the security team in skype. I notified them on the security vulnerabilitity and I was given the standard:
"Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix"
That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.
Pure Hacking wont give specifics on how to perform this attack untill a patch from skype is released. However we will give a full disclosure after skype takes action or a reasonable responsible disclosure time.
UPDATE: 09/05/2011 We can confirm that skype has fixed this issue in 5.1.0.922. It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.
UPDATE 2: 12/05/2011 A few other sites are disclosing the issue. It looks like we were not the only ones to discover this. Its essentially the same problem of failure to sanitize input before its rendered. To answer a few questions in bulk:
I have not had time to test 2.8 but I will fire up a mac vm when I get some time
There are numerous ways to exploit this vulnerability i.e malware, DOM manipulation, CSRF, msf payloads etc. However it all stems from one basic problem that I was suprised skype overlooked.
Links:
[1] http://www.purehacking.com/users/gordon-maddern
[2] http://www.purehacking.com/blog/tags/0day
[3] http://www.purehacking.com/blog/tags/ethical-hacking
[4] http://www.purehacking.com/blog/tags/exploit
[5] http://www.purehacking.com/blog/tags/hack
[6] http://www.purehacking.com/blog/tags/hacker
[7] http://www.purehacking.com/blog/tags/hacking
[8] http://www.purehacking.com/blog/infastructure-protection
[9] http://www.purehacking.com/blog/tags/mac
[10] http://www.purehacking.com/blog/tags/pentesting
[11] http://www.purehacking.com/blog/tags/reverse-payload
[12] http://www.purehacking.com/blog/tags/skype
[13] http://www.purehacking.com/blog/tags/social-engineering
[14] http://www.purehacking.com/blog/tags/sploit