<<< Date Index >>>     <<< Thread Index >>>

0day critical vulnerability/exploit targets Winamp users in the wild




Hi,

we received since July 22nd several reports from users who were hacked after 
visiting several websites. This 0day attack had been used to spread spyware and 
trojans, infecting patched computers.

Investigations showed the existance of a new and unpublished flaw/exploit in 
the winamp skin files handling. 

take a look at the code/exploit : 
http://www.k-otik.com/exploits/08252004.skinhead.php

Secunia advisory : http://secunia.com/advisories/12381/

Thor Larholm -> When a user visits a website that hosts the Skinhead exploit 
their browser is redirected to a compressed Winamp Skin file which has a WSZ 
file extension but which in reality is a ZIP file. The default installation of 
Winamp registers the WSZ file extension and includes an EditFlags value with 
the bitflag 00000100 which instructs Windows and Internet Explorer to 
automatically open these files when encountered. Because of this EditFlags 
value the fake Winamp skin is automatically loaded into Winamp which in turn 
open the "skin.xml" file inside the WSZ file. This skin.xml file references 
several include files such as "includes.xml", "player.xml" and 
"player-normal.xml", the latter of which opens an HTML file in Winamp's builtin 
webbrowser.

The HTML file that is opened exploit the traditional codeBase command execution 
vulnerability in Internet Explorer to execute "calc.exe" at which time the user 
is infected.

Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com