Skype Client for Mac Chat Unicode Denial of Service scip AG Vulnerability ID 4142 (06/22/2010) http://www.scip.ch/?vuldb.4142 I. INTRODUCTION Skype is a very popular proprietary voice-over-ip client available for multiple platforms. More information is available on the official web site at the following URL: http://www.skype.com II. DESCRIPTION Marc Ruef at scip AG found a denial of service vulnerability in the current release for Apple MacOS X (version 2.8). The application provides the possibility of sending messages to other Skype users via the embedded chat feature. If a vulnerable client receives a malicious message, the message and all further messages will be received but not displayed. It was not possible to reproduce this behavior on different version of the Skype client for Windows. On the iPhone (Version 1.3.0.275 on iPhone 3gs) the behavior is different. A received message containing the malicious string is shown but the content not displayed. Instead the message box contains the hint that the message has been deleted. No further impact could be determined. III. EXPLOITATION Information on how to exploit this vulnerability is included in the initial bug report. An attacker has to include Unicode characters in the text message sent to the victim. The characters used for the proof-of-concept are out of Mathematical Alphanumeric Symbols (1D400-1D7FF) An automated toolkit to exploit this vulnerability is available but has not been disclosed so far. IV. IMPACT After receiving a malicious message the attacked client is not able to use the chat feature anymore. Furthermore, the handling of some other elements of the application are not possible anymore (e.g. review the chat history). V. DETECTION For a common environment the identification of the attack is possible after a successful exploitation only. Deep inspection of received data communication over the Skype channel may be able to determine an ongoing attack attempt. VI. SOLUTION No workaround or solution known at the moment. It is suggested to allow incoming chat messages from approved friends only. VII. VENDOR RESPONSE This issue has been posted on Jira the public issue tracking and reporting system of Skype. The vendor verified the existence of the issue. No further information about bugfixing were published. VIII. SOURCES scip AG - Security is our Business (german) http://www.scip.ch/ scip AG - Vulnerability Database (german) http://www.scip.ch/?vuldb.4142 computec.ch Document Database (german) http://www.computec.ch Skype Jira - Original Bug Report http://developer.skype.com/jira/browse/SCM-681 IX. DISCLOSURE TIMELINE 2010/05/09 Identification of the vulnerability 2010/05/10 Notification of Skype via Jira (bug tracking) 2010/05/11 Acknowledgement of the issue via Jira 2010/05/11 Providing step-by-step exploit procedure 2010/06/22 Public disclosure of the advisory X. CREDITS The vulnerability has been discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch Additional testing and help was provided by Stefan Friedli and Martin Burke. A1. LEGAL NOTICES Copyright (c) 2002-2010 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.