Corruption & Persistent Vulnerability in Skype 5.8 and 5.5

Ucha Gobejishvili ( longrifle0x ) Benjamin Kunz Mejri (Rem0ve)&Alexander Fuchs (f0x23), security Experts from The Vulnerability-Lab Team discovered a remote pointer corruption with persistent weakness on Skypes v5.8.0.156 Windows 7 & MacOS v5.5.2340. The security risk of the remote denial of service vulnerability via pointer corruption is estimated as high(-).

Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within theSkype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-baseduser account system.

According to Expert, Vulnerability was reported to Vendor on 2012-02-24,  and Vendor Fix/Patch by Check on 2012-03-20. Affected versions are Skype - Windows, MacOs & Linux v5.8.0.156, 5.5.0.2340, 2.2 Beta.

The exploitation method will work Remotely. A pointer corruption vulnerability is detected on the windows v5.6.59.10 & macos v5.5.2340 client of the skype software.The bug is located in the software when processing special crafted symbole messages via communication box. The vulnerabilityallows an attacker to freeze, block, crash or destroy the communication messagebox of the connected conference persons/teams.

The bug also has an persistent weakness vector which allows an remote attacker to implement the symbole string to the contactuser requests messagebox. The result is also a stable persistent error message and a client denial of service. Attackers canalso implement the test poc to the group labelname which results in a stable group error with different exceptions.

The facebook integration allows to sync the account with skype and can also redisplay the issue with the error via facebook module and wallposting.The callto function allows an attacker to implement the issue persistent on a victim user profile by using the symbole string as nickname.

Vulnerable Modules are MessageBox & Request Contact, Contact Request Messagebox - Add Skype User, Group Topic & Group Information Name and Facebook integration - Connect Account Wall Postings.

For more security, Please Update to Skype v5.8.0.158.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.