[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: 0day critical vulnerability/exploit targets Winamp users in
From: K-OTiK Security <Special-Alerts () k-otik ! com>
Date: 2004-08-28 13:56:12
Message-ID: 20040828135612.27508.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <20040826164943.17362.qmail@www.securityfocus.com>
Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0, 5.0 \
and 5.0 Pro or newer.
Nullsoft said that Winamp 5.05 resolves this exploit in two ways:
- Winamp will now prompt all users with a confirmation window before installing any \
skins.
- Winamp will now only extract files considered low risk before loading a Winamp \
Skin.
ALL Winamp users MUST upgrade to Winamp 5.05 immediately.
http://www.winamp.com/player/
Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com
>
> take a look at the code/exploit :
> http://www.k-otik.com/exploits/08252004.skinhead.php
>
> Secunia advisory : http://secunia.com/advisories/12381/
>
> Thor Larholm -> When a user visits a website that hosts the Skinhead exploit their \
> browser is redirected to a compressed Winamp Skin file which has a WSZ file \
> extension but which in reality is a ZIP file. The default installation of Winamp \
> registers the WSZ file extension and includes an EditFlags value with the bitflag \
> 00000100 which instructs Windows and Internet Explorer to automatically open these \
> files when encountered. Because of this EditFlags value the fake Winamp skin is \
> automatically loaded into Winamp which in turn open the "skin.xml" file inside the \
> WSZ file. This skin.xml file references several include files such as \
> "includes.xml", "player.xml" and "player-normal.xml", the latter of which opens an \
> HTML file in Winamp's builtin webbrowser.
> The HTML file that is opened exploit the traditional codeBase command execution \
> vulnerability in Internet Explorer to execute "calc.exe" at which time the user is \
> infected.
> Regards.
> K-OTik.COM Security Survey Team
> http://www.k-otik.com
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic