advisories/nullsec-skype.txt at master · nullsecuritynet/advisories · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
===============================================================================
|                                                                             |
                         ____                     _ __
              ___  __ __/ / /__ ___ ______ ______(_) /___ __
             / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
            /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
                                                     /___/ team

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================


TITLE
=====

Skype - Persistent Cross Site Scripting Vulnerability


AUTHOR
======

noptrix


DATE
====

07-13-2011


VENDOR
======

Skype - http://www.skype.com/


AFFECTED PRODUCT
================

Skype in version <= 5.3.0.120


AFFECTED PLATFORMS
==================

Windows XP, Vista, 7
Mac OS X <= 10.6.8


VULNERABILITY CLASS
===================

Cross-Site Scripting


DESCRIPTION
===========

Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "mobile phone" profile entry.
Other input fields may also be affected.


PROOF OF CONCEPT
================

The following Javascript payload can be used as "mobile phone" entry to trigger
the described vulnerability:

--- SNIP ---

"><iframe src='' onload=alert('mphone')>

--- SNIP ---

For a PoC demonstration see:

    [+] http://www.nullsecurity.net/tmp/skype_xss.png
    [+] http://www.youtube.com/watch?v=eIgb9D-0DWs


IMPACT
======

An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.


THREAT LEVEL
============

High


STATUS
======

Fixed.


NOTES
=====

To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.


DISCLAIMER
==========

nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!

                Copyright (c) 2011 - nullsecurity.net