Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Winamp Skin File Arbitrary Code Execution Vulnerability

  1. #11
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    You're right, phishfphreek. Guess I should actually pay attention when I post things like that. Thanks for the added input. :-P

    AJ

  2. #12
    Something I noticed with SP2-

    IE changes the file extension of the source location in my PoC IFrame from winamp skin zip (.wsz) into a .zip? At least that's what it does when I ask to download the file. Not a big deal, just kinda weird.

    I put up a PoC here (http://www.thebillygoatcurse.com/winamp.php) w/o the executable file and malicious skin. All it does is show how it opens Winamp automatically, so those of you thinking this is a "careless downloading" issue, it's not. It's exploitable upon a malicious html page view on SP1. I came upon a group of people talking about how stupid people are downloading malicious skins, so I felt I felt responsible to elaborate a bit on it's exploitation.

    There is a Winamp upgrade available. But, alternatives exist. I am a huge Winamp fan, but I am more a fan of it's skinning ability than anything else.
    There is another option here: http://www.foobar2000.org/

    I like it for it's sexy system tray icon, but rumor has it that it's also very minimalist with resources.

    btw: This isn't so much nullsoft / aol's fault, more of IE's. I think this is the bulletin being exploited in a "winamp" way.
    http://secunia.com/advisories/12041/

  3. #13
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    It is half Winamp's fault for setting the WSZ file type to install without user intervention. They didn't think that there was a way a skin could do malicious stuff on the computer, so they decided to completely bypass user intervention and auto-install. Personally, I don't like things working behind my back. Which is why according to my last post, I've deleted the file association. If I want a skin, I'll manually put it into the right directory, etc. But that's just me.

    Oh, and a WSZ is acturally a collection of images in a ZIP archive if I remember correctly. If SP2 breaks Winamp's automatic file association, then it would in effect secure the computer from installing a skin behind your back (but I don't know about protecting you from a malicious skin). But luckily they apparently took care of that paticular vulnerability that a escelated the privilages of a malicious skin w/ their latest version. So even if it downloaded behind your back (they also make it prompt now for new ones) it won't take control of your system in that paticular way...

  4. #14
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    Doesn't the consumer version of RealPlayer automatically install skins upon download, too? Or am I mistaken? I don't have it installed on any machines here, but I distinctly recall a setting in the preferences which was checked by default which had the skin automatically install. Wouldn't they then be subject to the same sort of expoitation? I've never used any skinning features of RealPlayer (though I absolutely have for Winamp, even made one of my own to match the Windows theme I designed), so I have no idea how the skinning works, but I would think that a similar exploit could be designed for RealPlayer if they have it set up the same way.

    AJ

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •