Vulnerabilities in Skype

Thu, 17 Jan 2008 21:03:04 GMT

Aviv has already done most of the work but I would like to add a few more notes on the recently reported Skype Cross-site Scripting issue. In general, the issue is pretty much underestimated. The vulnerability is not of a type Cross-site Scripting bug, but mostly a Cross-site Scripting bug on DailyMotion, which results into a Cross-zone Scripting issue within Skype due to the unlocked IE controller Skype makes use of. When a given resource executes within the Local Zone context, all sorts of things are possible like, including but not only, reading/writing files from the local disc and launching executables through the WSH primitives. Which in simple words means a complete 0wnage.

The attack vector is a bit convoluted, but very much possible and quite practical. The user simply needs to visit DailyMotion via Skype's Add video to chat button and stumble upon a movie which contains the Cross-site Scripting vector. This type of scenario can be achieved in several ways but I believe that the most obvious approaches would be to either social engineer the user or spam DailyMotion with hundreds of infected movies that correspond to popular keywords. Aviv pointed out Paris Hilton as an example and I believe that this is a pretty good one.

Both, Aviv and I knew about Skype's Local Zone sandbox for several months now. Yet, this is the first major vulnerability that clearly shows the dangers of Skype's model. However, there is also another attack vector, which needs to be kept in mind, although it works only in networks where the attacker can influence the communication (mitm attacks, packet injection on wifi networks, network spoofing attacks, etc.).

I noticed that parts of the Skype traffic go over unencrypted channel. After further investigation, I found out that the unencrypted packets are part of Skype's ads which are pulled on several places, some of which end up within the unrestricted IE controller. With the help of tools like Airpwn or Karma, attackers can easily hijack ads and replace them with malicious ones. Upon rendering, a malicious code will execute within unrestricted IE controller and as such will allow the bad guys in. This type of attack is very easy to pull and it requires almost zero preparation.

The solution: lock the Local Zone. I would recommend not to use Skype on any public HotSpots. Also do not use the Add video to chat feature until a patch is released. Keep in mind that Skype is not the only one affected by these kinds of issues.

There are a few devices that I have seen which cause Windows XP to popup a little tooltip in the task tray saying 'a new device has been detected'. And sometiems when I click on that bubble it opens a webpage. I have not been able to reproduce this, and have not seen it occur lately... Was it fixed in a windows update? Does this have anything to do with SSDP? I was wondering if it is possible to craft an SSDP packet that will signal other XP computers on the network to show that tooltip. Some of the devices that I have seen do this are the Infrant Readynas and a DLink wifi router. I've also noticed that Sonos causes Windows Media Player to popup a tooltip sometimes as well asking to allow it to share it's media. Speaking of sonos... this device runs off upnp. Has anyone here been able to do any interesting things with it?
LiquidIce, I think that you commented on the wrong post. This one has nothing to do with UPnP. :)
Chaim HaasChaim Haas
Skype provides a full description of the vulnerability on its Security Blog and the steps that have been taken to neutralize the problem so it doesn't affect users.