Hi

I've just seen a new worm spreading across IRC. Clicking a link sends you a winamp skin file, it appears to change your skin then (if you are using mirc) it adds a new script which sends the link to other people.

Here is the link - I have obfuscated it slightly to prevent accidental clickage. To use it, remove all the *s from the url.

Link removed

I hope the winamp team can analyse this, and if it IS causing infection, can resolve it quickly.

If the above link stops working, I have downloaded the files that it sends.

/moved from Tech Support to Discussion

Here's the link...
copy+paste/use at one's own risk:

link removed

Yeah, it calls a php script which loads a .wsz file, which contains a worm. Dodgy shit!

Hmmm....it doesn't appear to be a valid appliaction or skin (i.e. cannot be uncompressed).

Removed to reduce impact of exploit. Fix is underway.

That's just a really cunning way of circumventing IE's zone restrictions. Not really sure whose fault it is.

Yeah it is kindof an exploit in IE.. I am not sure if SP2 fixes this problem. However, I think it is a bit of an exploit on behalf of Winamp in that it allows all files contained within a .zip file to be copied to the local machine to a predictable location without prompts. This could be exploited in quite a number of ways...

Just restricting .exes wont fix it either, as .htas, .js, .bat etc could be abused too. Even .htm files can be dangerous when run from the local machine.

EDIT: I realised it doesnt put it in a predictable location, as it is extracted to a random temp directory. But nonetheless, downloading and saving arbritrary files to the local machine without prompting is not a terribly good idea.

As for below: You cannot inspect a .wsz file before it is downloaded and used. IE automatically downloads it and sends it to Winamp without any prompts, which then automatically extracts it and 'executes' it.

Wouldn't someone notice that there's an xml file in a .wsz??

Originally posted by k_rock923
Wouldn't someone notice that there's an xml file in a .wsz??

It would not matter if is was a .wal or a .wsz file, nobody would notice, unless they opened the file in winzip, or checked the temp folder where the skin is extracted to.
(In a .wal file there are supposed to be .xml files anyway.)

I don't think many users actually do this, unless they are skin reviewers. ;)

Good point, wally. I only open the files of skins that I want to see how something was done. I know there are xmls in modern skins. I guess that's what I kind of meant. Oh well.

This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

This was one nasty little worm.
"Luckly" i found the source of it.. if your would like to check it out it can be found here

link removed
download it on your own risc.


Hope this can help you ppl in some way...

Here is the exploit used : Winamp <=5.04 Skin File (.wsz) Remote Code Execution Exploit

link removed

and here is the advisory

http://secunia.com/advisories/12381/

and where is the patch ?

Relax ... just don't download skins for now and wait for 5.05 ... :)

and when will that be? :P

It's not a case of 'not downloading skins'.
You're safe if you download skins from any of:
winamp.com, deviantart.com, 1001winampskins, skins.org, deskmod, etc etc...
You'll probably be safe if you knowingly download any wsz or wal file.
It's when the url is a seemingly unsuspicious link to a .php or .jpg that you've got to worry, because that's currently how the exploit is utilized.

The best thing you could do right now is:
WinME/2k/XP > Windows Folder Options > File Types tab > WSZ > Advanced:
Checkmark: "Confirm open after download"

Repeat for WAL

(Note: Under Win9x, it's 'Edit' instead of 'Advanced')

This will now make Internet Explorer ask if you want to open or save WAL & WSZ files.
Naturally, if you clicked on a link to a jpg or php (or any other extension other than wal or wsz) then you've probably come across the exploit (so it'd probably be wise to click 'Cancel').


For other browsers, you'll need to go into the browser config and change the setting accordingly, eg. for Firefox:

Tools > Options > Downloads tab:
WSZ / WAL > Change Action:
Checkmark: "Save to Disk" (instead of Open...)

Firefox will now prompt you instead of automatically downloading & executing skin files.

This issue is fixed for the next version of winamp.

does anyone know what exacly the flie in this exploit (1.exe) does? besides installing that mirc-script (or is that everything?)

im starting to get real paranoid here ;-)

EDIT : Found also this for those of you who got infected.
http://trojanscan.quakenet.org/?139

Yup. Looks like we'll be getting a 5.05 sooner than we expected...

Basically, we need to shut (http://news.com.com/Winamp+vulnerable+to+camouflaged-skin+attacks/2100-1002_3-5323990.html) a few (http://secunia.com/advisories/12381/) people up ;)
Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files.

though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added)

maybe...

there was talk of some additional updates being included (like the bundling of ml_ipod), but i dont believe these will be included since this is more of a rush-to-fix than a release, yeah, i'd have probably marked it up as a 5.04x than a 5.05, but so be it.

...Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files...


I hope they dont just scan the file for .exes etc as the only security measure. There are many different executable types aside from .exes and .bats etc, its unlikley they could catch them all.

Even if they did, it wont stop a .htm file executing an existing file (such as c:\windows\calc.exe or a ftp server or something).

Even if they stopped it executing stuff, running arbitrary files in the .htm zone is a security problem - you could for example have a frame which loads up a local file and read it and send it off to a remote site.

Winamp needs to set the secrity permissions for the web browser object to not allow scripting and various other restrictions.

Ive been looking into this stuff myself a bit lately, and have my name attributed to a couple MS security bulletins with IE so I know what Im talking about ;)

while i have discussed the same with the previous developers, the general concensus is that you are simply working around the fact that IE is insecure in itself. You are also preventing much of what the <browser> tag was originally included for.

Classic skin files will only unzip those extensions it knows it requires, and are safe. I havent had time to look at the fix included within 5.05, but I do not assume this to be the same, and rather, as you have pointed out, just a "dont unzip this known BAD filetype". So with that regard, I agree with you. It would be far better to actually only unzip known safe files, than to unzip the other way around (assuming this isnt the case).

The main issue here is the fact that HTML effectively taken from the 'Internet' zone is being rendered in the 'Local Machine' zone (or whatever permissions Winamp gives the web browser object).

HTML is unfortuantly not safe when run locally, when you start including ActiveX and other scripting. (eg the example I gave of being able to read local files and send them off to a remote server - does not require .exes or special permissions).

I think the real fix is to simply change the mindset of how safe a skin is. If you want 'safe' skins, perhaps they could use a different extension and not allow the 'browser' object. These could be installed without prompt, whereas skins that do allow the browser object should use a different extension and IE should not download such files automatically.

Otherwise, the web browser object should be locked down hard, ie treated in the same way files opened from the 'Temporary Internet Files' directory is in IE - (treated as though they are running in the Internet Zone). This is quite difficult to do well though, but can be done.

The best way would be for the browser object to have a way to specify the default security zone for everything it opens. But that would be easy.

Cant you just implement the "IInternetSecurityManager:" interface? It lets you map urls to zones, process url actions etc.

I dunno, I've never touched the IE browser object ;). Nor do I plan to.

Oh, I thought you were suggesting that there was no such way of doing that. I admit it isn't that simple though, but it does allow a fair bit of flexibility AFAIK.

i put up a friendly summary on all the information i've gathered regarding the exploit, on winamp unlimited (http://winampunlimited.com/). feel free to point out any inaccuracies you see.

Thread temporarily locked, moved backstage and edited by admin/mods.
Thread now open again...

All direct links to working examples of the exploit will be removed, so don't bother posting any.

And as already stated, 5.05 fixes this issue and will be available shortly...

Basically, you'll now be prompted before installing any new skin
and only files on a known safelist will be extracted.

S'pose you could tell us what else will be fixed/changed in 5.05?

No, not much else really, seeing 5.04 was supposed to be the last build for a while...

Latest JTFE
plus a couple of other minor bugfixes (http://forums.winamp.com/showthread.php?s=&threadid=159785)

Ok.

And in an effort to spread some good news, I posted your temp fix/suggestion/etc(IE File Association tweak) on a few other forums(and that 5.05 would be somewhat soon to perma-fix)

Originally posted by electricmime
though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added) Ya know, as long as they fix what can be exploited, I really don't give two shits what they call it. Maybe I'm just weird like that though.

Hey, as long as it works

Originally posted by dlinkwit27
Ya know, as long as they fix what can be exploited, I really don't give two shits what they call it. Maybe I'm just weird like that though.


i wasnt criticizing what they called it, i was asking if they knew of more things being added, because in the past, havent bug fixes been titled with a's and b's.. though this is a pretty big exploit, so maybe they are doing a 5.05 to show and advertise an upgraded, fixed version(compared to the sub-letters which probably wouldnt get as much attention by those not already aware of the exploit)

5.05 should be out some time today.

It includes the following, maybe more since i last looked:

1) skin exploit fix
2) wmv upside down video fixes
3) aacp streaming fixes (no, not mp4, sorry HA, its still planned)
4) latest jtfe.

It does not include:

1) mlipod
2) single UI skin.

[edit: updated as below]

new version include SINGLE UI SKIN???? (i love it)

No. This, hopefully, will be in the ipod bundle. Which should be in just over a months time.

How do you use your PC? As administrators?

I am using my PC as a user (with full control of the winamp and games directory of course). So although any malicious program could possibly delete my user files or change my user settings it wouldn't be able to make any system wide change. And since most spyware (or active-x controls) want to change system wide settings they will not be able to istall or run properly due to limited credentials. And all the changes they would cause they would affect only the current user (in other words nothing that can't be corrected by backing up the files and deleting the user profile)

Anyway just my tip on increased security.

As for the exploit it sounds pretty serious. Imagine in the report if you replace winamp with WMP the havoc that this vulnerability could have caused! Judging from the secunia report the problem starts from a "browser" tag in an XML file that references an HTML file etc.

Is it possible to "whitelist" the XML files? I mean have winamp.exe parse the XML file and allow only the tags that could have legal function (eg <bitmap>) and not allow any tags that would not have legal use. I may be wrong but that's how I think of it.

I just want to say, I agree that the links should be removed.. but the post about how it works SHOULDN'T. I hope you got the posters permission on that one. I thought NullSoft where surposed to be a 'good guy' software company and would expect you guys to solve the problem(s) not to simply hide them and pretend they have gone away. Anyone who would want to develop them has already got the information your censoring.. :down:

uh, its on every news feed in the world.

you argue that people who want to develop infected skins will already have this information, but you fail to mention why everyone else in the world should have a nice how-to?

Security professionals willing to investigate further are more than aware of sources providing further details, the general public however, would probably prefer this to be safely away from the hands of the script kiddies.

Regardless, a new version should be out later today to fix this exploit.

Riiiight... we're the good guys and so we should publish information about how to exploit our users' computers in full view on our web site.

I can't say I follow your logic on that one.

Originally posted by electricmime
in the past, havent bug fixes been titled with a's and b's..

winamp uses small .01 upgrades (instead of .1), so we don't necessarily have to tack on an extra "a" or "b." we have room to slightly increase the version number.

Couldn't I just dis-associate .WAL files and .WSZ files under Windows Folder Options for now? Then when the new version of Winamp comes out (with the patch for the vulnerability) I can uninstall and install the new version.

Does that make sense?
Would that protect me (and others who do this) in the mean time?

Or am I missing something? (Which it is my experience is often the case.)

;)

Thanks,

Todd

Yeah, that would fix it.

To follow up on my post above.....
If I disacciate .WAL and .WSZ files from Windows then I won't be able to download and install new skin files obviously. But, personally, I don't care about that. That's all I would lose right? Then the vulnerability can't be exploited unless I re-associate the .WAL and .WSZ file types..... which I won't do until the next version of Winamp. Again, let me know if I am missing something.

Maybe... though it's possible that winamp just automatically re-registers them when you close & reopen it.

Maybe it won't if you uncheck "restore associations at startup" in Winamp Prefs > File Types? (also, if Agent is enabled, you'll need to uncheck: Maintain associations).

However, I think my temporary solution (http://forums.winamp.com/showthread.php?postid=1450734#post1450734) posted further up is the better one... ie. make the browser prompt you first. This way, you can install skins that you know are safe (ie. from a trusted source) and cancel any from an untrusted source (ie. ones that try to install when you clicked on a jpg or php link in mirc).

Besides all this, 5.05 should be with us before the end of the day, and this whole issue will then be moot.


[Edit]
wow, lots of quick posts...
Yes, you'll still be able to install skins
(ie. direct links to wal & wsz files on winamp.com etc)
by right-clicking the download link
and selecting "save target/link as"
and saving the file to the winamp/skins folder
and then selecting it from the winamp menu.

For the vulnerability to be exploited, the skin file has to be opened in Winamp. If the files aren't associated with Winamp, it won't be able to open them, and so you're safe.

"Besides all this, 5.05 should be with us before the end of the day, and this whole issue will then be moot."

Ah. Cool. I will just get 5.05 since it is coming out so soon. In the mean time I just deleted the file associations. I don't download new skin files, so I don't have any need for them for now.

Thanks!

Todd

So winamp 5.04 was not the "final edition for now" after all. :)

Good to see that my original post was not in vain :)

Good work nullsoft!

found this while searching... theirs some sites teaching people how to do it.. i found the xml code they use.. here it is

also here is the site i found it on.

crap removed. read thread before posting. 5.05 t minus x

http://www.winamp.com/player/
http://download.nullsoft.com/winamp/client/winamp505_full.exe

End of discussion :)

I'm in the pipeline......5.05!!! :up:

:cool: Sooo...I'm now going to get a weird dark skin off this new flick coming out......LUFT KAPITÄN UND DER WELT VON MORGEN (Sky Captain and the World of Tomorrow).
http://www.skycaptain.com/

can we still be affected by the skin exploit if winamp is not running? are we safe just as long as winamp is not open? this is concerning the people that do not have winamp 5.05. thanks for any help.

Originally posted by rerun
can we still be affected by the skin exploit if winamp is not running? are we safe just as long as winamp is not open? this is concerning the people that do not have winamp 5.05. thanks for any help. rerun...

Are you saying that you are one of the "people" you mentioned above who hasn't upgraded to 5.05 yet? Is that what you are trying to say? If so, then you definitely should upgrade to 5.05 Full (http://www.winamp.com/player/free.php) because it fixes many bugs (http://forums.winamp.com/showthread.php?s=&threadid=159785) and security issues, including this major security issue (http://www.winamp.com/about/article.php?aid=10605) (article #1) that still exists in older Winamp releases (also mentioned in more detail here (http://www.winampunlimited.com/index.php?id=43)) (article #2).

Can you still be affected by the skin exploit if Winamp is not running? Are you safe just as long as Winamp is not open?

I would say that you are not safe and can still be affected, based on what is covered in the 2 articles I linked to above.

Upgrade, dude. Upgrade. Why take chances?

Because 5.05 secretly installs a program that transfers money from your bank account to those of the former members of the WA dev team. They created this security hole to give users an urgent reason to upgrade.

Why else do you think they were able to retire so early?