If at first you don't succeed; call it version 1.0
Thursday, January 17, 2008

Skype uses Internet Explorer web control within the application to render internal and external HTML pages. Examples for this pages are the "Send money via PayPal" dialog, or "Add video to chat" dialog.

Recently, I've discovered that Skype is running this web control in Local Zone. The more problematic issue here is that Skype runs the HTML pages is a not-locked Local Zone mode, the same as AOL's AIM does in the chat message window.

This means, that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine. pdp suggested that AirPwn can be used for that, and I can't do more than agree with him.

Today, Miroslav Lučinskij posted to Full-Disclosure that it is possible to inject a script to the "Add video to chat" dialog via the Title field of the DailyMotion movie information. He called this a Cross-Site Scripting vulnerability, but it is actually a Cross-Zone Scripting vulnerability, because the script runs in IE's Local Zone instead of the Internet Zone.
This basically means that an attacker can now upload a movie, set a kewl popular keyword (e.g. "Paris Hilton"), and own any user that will search for a video with those keywords through Skype.

I've tested this with the latest version of Skype - v3.6.0.244. Prior versions may also be affected.

Until the Skype guys fix this vulnerability, I recommend that you stop searching for videos in Skype.

I've created a proof-of-concept which executes the calculator when searching for "calc test" in Skype's "Add video to chat" dialog.
The following video demonstrates the proof-of-concept:

 


Thursday, January 17, 2008 8:15:24 PM UTC | Comments [8] | Security#
Friday, January 18, 2008 2:11:30 PM UTC
Skype provides a full description of the vulnerability on its Security Blog and the steps that have been taken to neutralize the problem so it doesn't affect users.
Friday, January 18, 2008 5:11:50 PM UTC
So isn't the problem with InternetExplorer? I mean, sorry for the hassle, but wouldn't it work just fine when using the gecko engine to render HTML and scripts solve this problem? [I had the same problem with WinAMP and this was the reason I stopped using it]
Friday, January 18, 2008 8:38:25 PM UTC
@Chaim: They have disabled DailyMotion until they will fix the problem on their site, but Skype didn't fix the core of the problem which is locking down the Local Zone. This can only be fixed by a registry change, which means they will either need to provide a new version, or a hotfix patch.

@Jonathan: The problem is not the use of Internet Explorer, but a wrong implementation. It will have the same affect if they'll use the gecko engine to render HTML with "chrome" privileges.
Saturday, January 19, 2008 1:30:27 PM UTC
Aviv,
But aren't the chrome privileges in Gecko problematic to access with the API (unlike in IE?) (<abbr title="I am not a hacker (but...)">IANAH</abbr).

I guess that the wrong implementation is the fact that running Skype with privileges (not just Admin, but any) may cause this. And since Skype wants to be cross platform (or platform independent) it has to apply this feature differently across OSes.

Still, I reckon that IE is to blame here as they "allowed" users to use this feature with their software.

[pondering whether the HTML tag actually works in here]
Saturday, January 19, 2008 4:39:35 PM UTC
Jonathan,
No. If an application allows Gecko to run in chrome privileges, a simple javascript is needed for a code execution. Mozilla provides information here.

Skype should be blamed for a misuse of a legitimate feature. This feature should be used only when needed and in places where the data is controllable only by the application.

[and yes, some HTML tags actually work here :)]
Friday, January 25, 2008 6:12:25 AM UTC
Hi,
can you show how you can run binary code after you can write html and javascript on local zone?
someone
Friday, January 25, 2008 9:31:48 AM UTC
Sure.

<script>
var x=new ActiveXObject("WScript.Shell");
var someCommands="Some command-line commands to download and execute binary file"; // see PDF exploit for an in the wild example
x.run('cmd.exe /C "'+someCommands+'"');
</script>
Sunday, May 18, 2008 6:49:23 PM UTC
yes you can,but this morely is an example of ActiveX command execution which would work for IE.(e.g.)
the Firefox includet language also allows us to execute commands which would work for FF.(e.g.)
if you are "inside" a cross zone you can do this:
"var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath("c:\\windows\\system32\\cmd.exe");
file.launch();" (http://developer.mozilla.org/en/docs/Code_snippets:Running_applications quite usefull if you want to learn more about it)[firefox]
->http://milw0rm.com/exploits/986

or
"var x=new ActiveXObject("WScript.Shell");
var someCommands="Some command-line commands to download and execute binary file"; // see PDF exploit for an in the wild example
x.run('cmd.exe /C "'+someCommands+'"');" [IE]
->http://milw0rm.com/exploits/5619


for more information about it,i'd advise you to read this:
http://en.wikipedia.org/wiki/Cross_Zone_Scripting
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.