Wednesday, September 18, 2024
HomeCVE/vulnerabilityA Backdoor Discover in Skype allows to hack everything that Skype can...

A Backdoor Discover in Skype allows to hack everything that Skype can offer for Mac OS X

Published on

Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine.

The API is formally known as the Desktop API (previously known as the Skype Public API – Application Programming Interface) and it enables third-party applications to communicate with Skype.

As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.

- Advertisement - EHA

Who has been created this backdoor?

The vulnerability seems to have been created by a developer at Skype prior to Microsoft’s takeover of the company, and likely exposed some 30 million Mac OS X users.

A Backdoor?

An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely “Skype Dashbd Wdgt Plugin”).

Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission.

In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access.

An unused backdoor?

Curiously, the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name “Skype Dashbd Wdgt Plugin”.

This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin.

If it was a coding accident, it is an old one. Our investigations have shown that the string “Skype Dashbd Wdgt Plugin” has been present in versions of Skype for Mac OS-X for some 5+ years.

What can you access?

The Desktop API, in previous versions, permitted access to nearly everything that Skype can offer.

This included, but was not limited to: “notifications of incoming messages (and their contents), modifying messages and creating chat sessions, ability to log and record Skype call audio to disk and retrieve user contacts”.

In later versions of the Desktop API, access to text messages was dropped from the specification but access to other features remained.

Patched the backdoor:Microsoft

Microsoft has patched a backdoor in Skype for Mac OSX that would allow an attacker to log and record Skype call audio, retrieve user contact information, read the content of incoming messages, create chat sessions, modify messages, and carry out other malicious activity.

How easy is the backdoor to use?

Accessing the backdoor is as easy as changing a single line of code in the numerous examples given by Skype themselves in how to use the Desktop API.

A simple change to the ‘clientApplicationName‘ NSString method (or CFString member variable if using the Carbon API), setting this value to “Skype Dashbd Wdgt Plugin” is all that is required.

Technical explanation:

Discovering the backdoor is a relatively trivial process, in fact this can be done with a simple call to the GNU utility ‘strings’, for instance:

You can obtain a source disassembly of the responsible function by utilizing Hopper to disassemble the Skype application binary, the results are shown below:

In the above image you can see that the member function ‘authLevelForApplication:(NSString *)applicationName’ of the object ‘SkypeAPIController’ returns 1 (‘YES’) if the value of ‘applicationName’ is equal to ‘Skype Dashbd Wdgt Plugin’.

Versions of Skype prior to the Microsoft acquistion utilized one form or another of binary obfuscation/encryption where the binary dynamically unpacked itself upon execution.

This is a typical technique to hamper efforts to extract information and reverse engineer the program. However, in general these techniques were trivial to by-pass by simply attaching a debugger and dumping the pages of memory containing executable code.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...

Microsoft Windows Kernel Vulnerability Exploited in the Wild

Microsoft has confirmed the exploitation of a Windows Kernel vulnerability, identified as CVE-2024-37985, in...

Discord Announces End-to-End Encryption for Audio & Video Chats

Discord has introduced end-to-end encryption (E2EE) for audio and video chats.Known as the...

Threat Actor Allegedly Selling Bharat Petroleum Database

A threat actor has allegedly put up for sale a database belonging to Bharat...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

CISA Warns of Windows MSHTML & Progress WhatsUp Gold Flaw Exploited Widely

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two...

Critical Vulnerabilities Impact Million of D-Link Routers, Patch Now!

Millions of D-Link routers are at risk due to several critical vulnerabilities. Security researcher...

Windows MSHTML Zero-Day Vulnerability Exploited In The Wild

Adobe released eight security updates in September 2024, addressing 28 vulnerabilities in various products,...