Re: 0day critical vulnerability/exploit targets Winamp users in the wild
In-Reply-To: <20040826164943.17362.qmail@xxxxxxxxxxxxxxxxxxxxx>
Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0,
5.0 and 5.0 Pro or newer.
Nullsoft said that Winamp 5.05 resolves this exploit in two ways:
- Winamp will now prompt all users with a confirmation window before installing
any skins.
- Winamp will now only extract files considered low risk before loading a
Winamp Skin.
ALL Winamp users MUST upgrade to Winamp 5.05 immediately.
http://www.winamp.com/player/
Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com
>
>take a look at the code/exploit :
>http://www.k-otik.com/exploits/08252004.skinhead.php
>
>Secunia advisory : http://secunia.com/advisories/12381/
>
>Thor Larholm -> When a user visits a website that hosts the Skinhead exploit
>their browser is redirected to a compressed Winamp Skin file which has a WSZ
>file extension but which in reality is a ZIP file. The default installation of
>Winamp registers the WSZ file extension and includes an EditFlags value with
>the bitflag 00000100 which instructs Windows and Internet Explorer to
>automatically open these files when encountered. Because of this EditFlags
>value the fake Winamp skin is automatically loaded into Winamp which in turn
>open the "skin.xml" file inside the WSZ file. This skin.xml file references
>several include files such as "includes.xml", "player.xml" and
>"player-normal.xml", the latter of which opens an HTML file in Winamp's
>builtin webbrowser.
>
>The HTML file that is opened exploit the traditional codeBase command
>execution vulnerability in Internet Explorer to execute "calc.exe" at which
>time the user is infected.
>
>Regards.
>K-OTik.COM Security Survey Team
>http://www.k-otik.com
>