Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winamp vulnerability


  • Please log in to reply
1 reply to this topic

#1 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:16 AM

Posted 26 August 2004 - 09:35 PM

Hi,

we received since July 22nd several reports from users who were hacked after visiting
several websites. This 0day attack had been used to spread spyware and trojans,
infecting patched computers.

Investigations showed the existance of a new and unpublished flaw/exploit in the winamp
skin files handling.

take a look at the code/exploit :
http://www.k-otik.com/exploits/08252004.skinhead.php

Secunia advisory : http://secunia.com/advisories/12381/

Thor Larholm -> When a user visits a website that hosts the Skinhead exploit their
browser is redirected to a compressed Winamp Skin file which has a WSZ file extension
but which in reality is a ZIP file. The default installation of Winamp registers
the WSZ file extension and includes an EditFlags value with the bitflag
00000100 which instructs Windows and Internet Explorer to automatically open these
files when encountered. Because of this EditFlags value the fake Winamp skin
is automatically loaded into Winamp which in turn open the "skin.xml" file inside
the WSZ file. This skin.xml file references several include files such as "includes.xml",
"player.xml" and "player-normal.xml", the latter of which opens an HTML
file in Winamp's builtin webbrowser.

The HTML file that is opened exploits the traditional codeBase command execution vulnerability
in Internet Explorer to execute "calc.exe" at which time the user is
infected.

Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com


Don't use winamp until this is fixed.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:16 AM

Posted 01 September 2004 - 05:49 AM

WinAmp fixed this very promptly with the release of Winamp 5.05. Please install the new version if you use Winamp. No issues for me in using the Lite version :thumbsup: :flowers: :trumpet:

Writeup and Download links:
http://msmvps.com/harrywaldron/archive/2004/08/28/12492.aspx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users