Re: 0day critical vulnerability/exploit targets Winamp users in the wild

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <20040826164943.17362.qmail () www securityfocus com>

Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer.

Nullsoft said that Winamp 5.05 resolves this exploit in two ways:

- Winamp will now prompt all users with a confirmation window before installing any skins. 
- Winamp will now only extract files considered low risk before loading a Winamp Skin. 

ALL Winamp users MUST upgrade to Winamp 5.05 immediately. 

http://www.winamp.com/player/

Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com 

> take a look at the code/exploit : 
> http://www.k-otik.com/exploits/08252004.skinhead.php
>
> Secunia advisory : http://secunia.com/advisories/12381/
>
> Thor Larholm -> When a user visits a website that hosts the Skinhead exploit their browser is redirected to a 
> compressed Winamp Skin file which has a WSZ file extension but which in reality is a ZIP file. The default 
> installation of Winamp registers the WSZ file extension and includes an EditFlags value with the bitflag 00000100 
> which instructs Windows and Internet Explorer to automatically open these files when encountered. Because of this 
> EditFlags value the fake Winamp skin is automatically loaded into Winamp which in turn open the "skin.xml" file inside 
> the WSZ file. This skin.xml file references several include files such as "includes.xml", "player.xml" and 
> "player-normal.xml", the latter of which opens an HTML file in Winamp's builtin webbrowser.
>
> The HTML file that is opened exploit the traditional codeBase command execution vulnerability in Internet Explorer to 
> execute "calc.exe" at which time the user is infected.
>
> Regards.
> K-OTik.COM Security Survey Team
> http://www.k-otik.com