11 comments

[ 3.4 ms ] story [ 35.9 ms ] thread
"About a month ago I was chatting on skype to a colleague about a payload for one of our clients,” he wrote. “Completely by accident, my payload executed in my colleagues skype client."

If I had to guess, they were probably pasting back and forth JavaScript "payloads" for an XSS and broke the parser that Skype is using for formatting chat messages. Not that interesting.

Chat messages on Skype aren't exactly the most effective propogation mechanism either. Don't you have to be approved as someone's friend before they can send you a message? This probably won't be used in any massive attacks any time soon. Until then, continue to annoy your girlfriends as the author apparently did.

It sounds like it's still pretty dangerous even if it's not "interesting".

As far as propogation, it could definitely be effective, it all depends on how interconnected the graph of Skype friendships is. There have been many nasty worms which travelled across AIM friend lists, for example.

There are plenty of times where I believe threats are overhyped. This is not one of them.

1) The default privacy setting in Skype is to allow anyone to send you a chat message. I know plenty of Skype users who complain to me about random chat messages, which indicates to me that they haven't changed their privacy preferences yet.

2) Regardless of the type of payload they used, "Low and behold I was able to remotely gain a shell." Remote shell. Through a Skype message. Would you give a random person shell access to your computer? It's more than interesting, it's terrible.

3) Spammers already infest the Skype network. If they discover this vuln before Skype patches it, you can fully expect that it will be exploited.

There is no mention of priviledge escalation in the article, but once you have a shell, the world is your oyster. There are bound to be exploitable services locally on the machine. Once you're in, you've got the run of the place.

You can specify whether or not to allow chats from anyone, or only those on your contact list. Can't recall what the default is on OSX.
Even if the default is to only accept messages from friends, worms certainly spread this way. If you want an example, see one of the MSN worms: they simply send a link, which if clicked it sends the worm through to all of the people in the contact list.
(comment deleted)
There is easily enough information in this post for a reasonably clever blackhat to rediscover the vulnerability. I'm reasonably certain I can guess what it is.

So don't use Skype on Mac if you can help it, and if you must use it turn off messages from sources not in your contact list.

Another scary thing here is that, since Skype 5.0 sucks so badly, many people downgraded to 2.x and Skype probably will ignore that release when they fix the vulnerability.
I am looking for someone to look into a skype account to see if a call was made last night. call me at 262 894 9440.