'Re: 0day critical vulnerability/exploit targets Winamp users in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: 0day critical vulnerability/exploit targets Winamp users in
From:       K-OTiK Security <Special-Alerts () k-otik ! com>
Date:       2004-08-28 13:56:12
Message-ID: 20040828135612.27508.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <20040826164943.17362.qmail@www.securityfocus.com>

Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0, 5.0 \
and 5.0 Pro or newer.

Nullsoft said that Winamp 5.05 resolves this exploit in two ways:

- Winamp will now prompt all users with a confirmation window before installing any \
                skins. 
- Winamp will now only extract files considered low risk before loading a Winamp \
Skin. 

ALL Winamp users MUST upgrade to Winamp 5.05 immediately. 

http://www.winamp.com/player/

Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com 

> 
> take a look at the code/exploit : 
> http://www.k-otik.com/exploits/08252004.skinhead.php
> 
> Secunia advisory : http://secunia.com/advisories/12381/
> 
> Thor Larholm -> When a user visits a website that hosts the Skinhead exploit their \
> browser is redirected to a compressed Winamp Skin file which has a WSZ file \
> extension but which in reality is a ZIP file. The default installation of Winamp \
> registers the WSZ file extension and includes an EditFlags value with the bitflag \
> 00000100 which instructs Windows and Internet Explorer to automatically open these \
> files when encountered. Because of this EditFlags value the fake Winamp skin is \
> automatically loaded into Winamp which in turn open the "skin.xml" file inside the \
> WSZ file. This skin.xml file references several include files such as \
> "includes.xml", "player.xml" and "player-normal.xml", the latter of which opens an \
> HTML file in Winamp's builtin webbrowser. 
> The HTML file that is opened exploit the traditional codeBase command execution \
> vulnerability in Internet Explorer to execute "calc.exe" at which time the user is \
> infected. 
> Regards.
> K-OTik.COM Security Survey Team
> http://www.k-otik.com 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic