Re: 0day critical vulnerability/exploit targets Winamp users in the wild

[K-OTiK Security <Special-Alerts@xxxxxxxxxx>]

In-Reply-To: <20040826164943.17362.qmail@xxxxxxxxxxxxxxxxxxxxx>

Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0, 
5.0 and 5.0 Pro or newer.

Nullsoft said that Winamp 5.05 resolves this exploit in two ways:

- Winamp will now prompt all users with a confirmation window before installing 
any skins. 
- Winamp will now only extract files considered low risk before loading a 
Winamp Skin. 

ALL Winamp users MUST upgrade to Winamp 5.05 immediately. 

http://www.winamp.com/player/

Regards.
K-OTik.COM Security Survey Team
http://www.k-otik.com 

>
>take a look at the code/exploit : 
>http://www.k-otik.com/exploits/08252004.skinhead.php
>
>Secunia advisory : http://secunia.com/advisories/12381/
>
>Thor Larholm -> When a user visits a website that hosts the Skinhead exploit 
>their browser is redirected to a compressed Winamp Skin file which has a WSZ 
>file extension but which in reality is a ZIP file. The default installation of 
>Winamp registers the WSZ file extension and includes an EditFlags value with 
>the bitflag 00000100 which instructs Windows and Internet Explorer to 
>automatically open these files when encountered. Because of this EditFlags 
>value the fake Winamp skin is automatically loaded into Winamp which in turn 
>open the "skin.xml" file inside the WSZ file. This skin.xml file references 
>several include files such as "includes.xml", "player.xml" and 
>"player-normal.xml", the latter of which opens an HTML file in Winamp's 
>builtin webbrowser.
>
>The HTML file that is opened exploit the traditional codeBase command 
>execution vulnerability in Internet Explorer to execute "calc.exe" at which 
>time the user is infected.
>
>Regards.
>K-OTik.COM Security Survey Team
>http://www.k-otik.com 
>