When opening a wma file with winamp (2.77, 2.78 tested) that requires a license to be installed, winamp opens the webpage where it obtains this license (through some vb script code calling an active x object), witch it passes the url to itself in order for this page to provide a click-here-to-play type of link This is a problem, for if the users starts a download and presses open instead of save to disk eighter on a webpage or in an email message (this is currently the default action on this pc, it doesn't even prompt for saving, however I most likely have clicked a checkbox too many somewhere) The path to the temporary internet files folder is revealed to the page that provides the license. And thus allows for chm file type of attacks witch allows execution of arbitrary code For an example On http://windowsmedia.neuroticmedia.net/ you'll find a lot of wma files all with licenses (I found this link on the windowsmedia.com website) On downloading and starting the first wma file winamp fires up internet explorer and opens the following url for me http://web.neuroticmedia.net/getV1License.asp?content_guid=2524&challeng e=AAEAAdytv8CWPq!uaEvLpmn9Ay!TyS0T5P5TBaqgGEhtHqneqhPSWcDvzmo!FLmsofK8sc 8gGQrMIUsrvTrwXS7a3207D*cHR2b6HLXZ5ANyskZwsNAWEUdtPKmbgHRCRsK0JbIK3S3msY p5iSz8QOVtzKBYV0sRRmxvs2h4J2p8DdVw0y08IjmxviTKWuuwKyKCnXh49dIu05gIKhbg1W x8nR2fT8*Um3IDTrYv*MGmSENm1!mfv3MoO8cSzF!om4KX6IL5vLi0&DRMVer=1.3&filena me=file://C:%5cDocuments%20and%20Settings%5cJelmer%5cLocal%20Settings%5c Temporary%20Internet%20Files%5cContent.IE5%5cCBL7ME79%5cStatic-X-Cold%5b 1%5d.wma Clearly showing the temporary internet files folder passed in the filename parameter Additionally this particular site is also vulnerable to a cross site scripting exploit as show by the following url. http://web.neuroticmedia.net/getV1License.asp?content_guid=2623&challeng e=AAEAAW*cuZ*Ox399!2qBZxPMHDSN!hMx*NaYtOSFpu66wNTGY4bqHFb6BU*0ZLpLRn*uGp g5idOrzs!72BtRJ5S1XnFIXlb*teiO4zljbilFZnM6r3L8oCd6UrQ1oQlnukZY3S1pHXSS*o xG9O29p4BhcxYnmx0RZ2dz1gUPZWbzqVdhxw6rSc!EuBS*l2*CXcQdV1Ie7qeo!OIP0g6Gxc qI2njcI8cQgIuExtwEVpEOHoodx1TET5SFiu1Z8NyHlR0ZLWMa!wXG&DRMVer=1.3&filena me="></a><script%20language=javascript>alert('cross site scripting');</script><a> --- jelmer
