Recently, we have came across about the news on SKYPE 0
DAY<http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking>that
results in remote exploitation on MAC OS. However, we have also
discovered the same pattern of vulnerability in Skype two months ago. Due to
testing reasons, we were not indulged in the process of reporting it to
vendor because we were looking at the malware paradigm related to this
vulnerability(whether it can be exploited to download malware in MAC OSX).


Firstly, we are not sure whether the researchers are talking about the same
vulnerability. This is because we have seen the news but the vulnerability
details are missing everywhere. So our team thought to take a step in this
direction. We are presenting the details of the vulnerability that we
discovered in Skype running over MAC OS.

Discussion:
JavaScript is used extensively in all web related platforms. Skype
application on MAC OS uses JavaScript too (most of the chatting client uses
that, so not a big deal). This vulnerability does not impact the Skype
running over windows and Linux. Skype fails to instantiate between the
payloads that are sent as hyperlinks in the chat window. Only the legitimate
users in the client list of victim can exploit it. The attacker only
requires a definitive payload to exploit this issue. Basically, we call it
as a Skype Remote Scripting (Injection).

Working:
In order to trigger this vulnerability, you need to find a vulnerable
website that can be used as an agent to send our payload. For example:
attacker can use third party vulnerable website to trigger scripting
injection in Skype (MAC OS). Generally, certain truth prevails as follows

1. If an attacker sends a remote script payload as
[script]alert(document.location);[script];skype filters this injection on
chat engine which is quite normal. We have used square brackets (for
representation) but for real injections one has to use angle brackets as XSS
payloads.

2. Skype(MAC OS) fails to filter the injection in which payload is sent as a
part of third part vulnerable website hyperlink as follows
http://www.vulnerablewebsite.com/index.php?url=[script]alert(document.location);[script]

A = http://www.vulnerablewebsite.com/index.php?url=
B = [script]alert(document.location);[script]

Skype fails to treat it as one hyperlink as (A+B). As a result, B part
executes in the context of Skype(MAC OS) thereby resulting in remote
scripting in the skype.

3. Attacker can use DOM injections to write arbitrary content in the chat
window. There can be advanced variations of it.

4. We know MAC runs applications with extensions .app, it is possible to
download malicious applications through skype. One can also trigger Safari
automatically using DOM calls such as "window.open".

5. This vulnerability does not require any user interaction and runs payload
directly. One has to be careful because it can execute content in both chat
windows if an attacker and victim is using Skype (MAC OS). Attacker can use
Skype on Windows and Linux in order to execute this attack.

Some of the POC's are presented in the below mentioned snapshots which
supports the execution of this vulnerability.

*POC:*

http://secniche.blogspot.com/2011/05/skype-im-mac-os-x-is-this-0day.html


Thanks

Rohit Bansal
Secniche Security