Registered: Aug 2004
From:

Hi

I've just seen a new worm spreading across IRC. Clicking a link sends you a winamp skin file, it appears to change your skin then (if you are using mirc) it adds a new script which sends the link to other people.

Here is the link - I have obfuscated it slightly to prevent accidental clickage. To use it, remove all the *s from the url.

[edit -> egg] Link removed [/edit]

I hope the winamp team can analyse this, and if it IS causing infection, can resolve it quickly.

Last edited by DJ Egg on 08-26-2004 at 10:23 PM

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From:

If the above link stops working, I have downloaded the files that it sends.

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

/moved from Tech Support to Discussion

Here's the link...
copy+paste/use at one's own risk:

[edit -> egg] link removed [/edit]

Yeah, it calls a php script which loads a .wsz file, which contains a worm. Dodgy shit!

__________________

Last edited by DJ Egg on 08-26-2004 at 10:22 PM

Quick Link | Report this post to a moderator | IP: Logged

Registered: May 2001
From: 2001:4978:20f::/48

Hmmm....it doesn't appear to be a valid appliaction or skin (i.e. cannot be uncompressed).

__________________
powered by C₂H₅OH | eff | aclu

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From:

[edit steve] Removed to reduce impact of exploit. Fix is underway. [/edit]

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2001
From: UK

That's just a really cunning way of circumventing IE's zone restrictions. Not really sure whose fault it is.

__________________
For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2004
From: Brisbane, Australia

Yeah it is kindof an exploit in IE.. I am not sure if SP2 fixes this problem. However, I think it is a bit of an exploit on behalf of Winamp in that it allows all files contained within a .zip file to be copied to the local machine to a predictable location without prompts. This could be exploited in quite a number of ways...

Just restricting .exes wont fix it either, as .htas, .js, .bat etc could be abused too. Even .htm files can be dangerous when run from the local machine.

EDIT: I realised it doesnt put it in a predictable location, as it is extracted to a random temp directory. But nonetheless, downloading and saving arbritrary files to the local machine without prompting is not a terribly good idea.

As for below: You cannot inspect a .wsz file before it is downloaded and used. IE automatically downloads it and sends it to Winamp without any prompts, which then automatically extracts it and 'executes' it.

__________________
Music Plugins

Last edited by shaneh on 08-22-2004 at 05:56 AM

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jul 2003
From: /bin/bash

Wouldn't someone notice that there's an xml file in a .wsz??

__________________
More systems have been wiped out by admins than any cracker could do in a lifetime.

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2001
From: Sunny Southern Alberta

quote:

---

Originally posted by k_rock923
Wouldn't someone notice that there's an xml file in a .wsz??

---

It would not matter if is was a .wal or a .wsz file, nobody would notice, unless they opened the file in winzip, or checked the temp folder where the skin is extracted to.
(In a .wal file there are supposed to be .xml files anyway.)

I don't think many users actually do this, unless they are skin reviewers.

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jul 2003
From: /bin/bash

Good point, wally. I only open the files of skins that I want to see how something was done. I know there are xmls in modern skins. I guess that's what I kind of meant. Oh well.

__________________
More systems have been wiped out by admins than any cracker could do in a lifetime.

Quick Link | Report this post to a moderator | IP: Logged

Registered: Oct 2003
From: Bay Area, California

This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

__________________
[@imho] man
[@imho] I had dreams about unit testing last night :-(
[@sim`a] i have nightmares about syntax errors, whats your point

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From: Sweden

This was one nasty little worm.
"Luckly" i found the source of it.. if your would like to check it out it can be found here

[edit -> egg] link removed [/edit]
download it on your own risc.


Hope this can help you ppl in some way...

Last edited by DJ Egg on 08-26-2004 at 10:26 PM

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From:

Here is the exploit used : Winamp <=5.04 Skin File (.wsz) Remote Code Execution Exploit

[edit --> egg] link removed [/edit]

and here is the advisory

URL submitted by user.

and where is the patch ?

Last edited by DJ Egg on 08-26-2004 at 10:29 PM

Quick Link | Report this post to a moderator | IP: Logged

Registered: Apr 2003
From: away from my baby

Relax ... just don't download skins for now and wait for 5.05 ...

__________________
I Love You Ana Luiza
MSN

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From: Sweden

and when will that be? :P

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

It's not a case of 'not downloading skins'.
You're safe if you download skins from any of:
winamp.com, deviantart.com, 1001winampskins, skins.org, deskmod, etc etc...
You'll probably be safe if you knowingly download any wsz or wal file.
It's when the url is a seemingly unsuspicious link to a .php or .jpg that you've got to worry, because that's currently how the exploit is utilized.

The best thing you could do right now is:
WinME/2k/XP > Windows Folder Options > File Types tab > WSZ > Advanced:
Checkmark: "Confirm open after download"

Repeat for WAL

(Note: Under Win9x, it's 'Edit' instead of 'Advanced')

This will now make Internet Explorer ask if you want to open or save WAL & WSZ files.
Naturally, if you clicked on a link to a jpg or php (or any other extension other than wal or wsz) then you've probably come across the exploit (so it'd probably be wise to click 'Cancel').


For other browsers, you'll need to go into the browser config and change the setting accordingly, eg. for Firefox:

Tools > Options > Downloads tab:
WSZ / WAL > Change Action:
Checkmark: "Save to Disk" (instead of Open...)

Firefox will now prompt you instead of automatically downloading & executing skin files.

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2001
From: Sheffield, England

This issue is fixed for the next version of winamp.

__________________
DO NOT PM ME WITH TECH SUPPORT QUESTIONS

Quick Link | Report this post to a moderator | IP: Logged

Registered: Aug 2004
From: Sweden

does anyone know what exacly the flie in this exploit (1.exe) does? besides installing that mirc-script (or is that everything?)

im starting to get real paranoid here ;-)

EDIT : Found also this for those of you who got infected.
URL submitted by user.

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

Yup. Looks like we'll be getting a 5.05 sooner than we expected...

Basically, we need to shut a few people up
Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files.

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2004
From:

though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added)

__________________
There is no reset button on life... but the graphics kick ass

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

maybe...

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: May 2000
From: Hell

there was talk of some additional updates being included (like the bundling of ml_ipod), but i dont believe these will be included since this is more of a rush-to-fix than a release, yeah, i'd have probably marked it up as a 5.04x than a 5.05, but so be it.

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2004
From: Brisbane, Australia

...Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files...


I hope they dont just scan the file for .exes etc as the only security measure. There are many different executable types aside from .exes and .bats etc, its unlikley they could catch them all.

Even if they did, it wont stop a .htm file executing an existing file (such as c:\windows\calc.exe or a ftp server or something).

Even if they stopped it executing stuff, running arbitrary files in the .htm zone is a security problem - you could for example have a frame which loads up a local file and read it and send it off to a remote site.

Winamp needs to set the secrity permissions for the web browser object to not allow scripting and various other restrictions.

Ive been looking into this stuff myself a bit lately, and have my name attributed to a couple MS security bulletins with IE so I know what Im talking about

__________________
Music Plugins

Quick Link | Report this post to a moderator | IP: Logged

Registered: May 2000
From: Hell

while i have discussed the same with the previous developers, the general concensus is that you are simply working around the fact that IE is insecure in itself. You are also preventing much of what the <browser> tag was originally included for.

Classic skin files will only unzip those extensions it knows it requires, and are safe. I havent had time to look at the fix included within 5.05, but I do not assume this to be the same, and rather, as you have pointed out, just a "dont unzip this known BAD filetype". So with that regard, I agree with you. It would be far better to actually only unzip known safe files, than to unzip the other way around (assuming this isnt the case).

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2004
From: Brisbane, Australia

The main issue here is the fact that HTML effectively taken from the 'Internet' zone is being rendered in the 'Local Machine' zone (or whatever permissions Winamp gives the web browser object).

HTML is unfortuantly not safe when run locally, when you start including ActiveX and other scripting. (eg the example I gave of being able to read local files and send them off to a remote server - does not require .exes or special permissions).

I think the real fix is to simply change the mindset of how safe a skin is. If you want 'safe' skins, perhaps they could use a different extension and not allow the 'browser' object. These could be installed without prompt, whereas skins that do allow the browser object should use a different extension and IE should not download such files automatically.

Otherwise, the web browser object should be locked down hard, ie treated in the same way files opened from the 'Temporary Internet Files' directory is in IE - (treated as though they are running in the Internet Zone). This is quite difficult to do well though, but can be done.

__________________
Music Plugins

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2001
From: UK

The best way would be for the browser object to have a way to specify the default security zone for everything it opens. But that would be easy.

__________________
For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2004
From: Brisbane, Australia

Cant you just implement the "IInternetSecurityManager:" interface? It lets you map urls to zones, process url actions etc.

__________________
Music Plugins

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2001
From: UK

I dunno, I've never touched the IE browser object . Nor do I plan to.

__________________
For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jan 2004
From: Brisbane, Australia

Oh, I thought you were suggesting that there was no such way of doing that. I admit it isn't that simple though, but it does allow a fair bit of flexibility AFAIK.

__________________
Music Plugins

Quick Link | Report this post to a moderator | IP: Logged

Registered: Sep 2003
From:

i put up a friendly summary on all the information i've gathered regarding the exploit, on winamp unlimited. feel free to point out any inaccuracies you see.

__________________
eric is awesome

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

Thread temporarily locked, moved backstage and edited by admin/mods.
Thread now open again...

All direct links to working examples of the exploit will be removed, so don't bother posting any.

And as already stated, 5.05 fixes this issue and will be available shortly...

Basically, you'll now be prompted before installing any new skin
and only files on a known safelist will be extracted.

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Sep 2003
From: In the lab, overclocking hamsters

S'pose you could tell us what else will be fixed/changed in 5.05?

__________________
K-Aus037 no longer on WA.com
K-Aus037 | K-AusBlue | K-Aus 038 | K-Aus Blou | K-Aus Error | K-Aus Black at DeviantArt
If at first you don't succeed, destroy all evidence you tried

Quick Link | Report this post to a moderator | IP: Logged

Registered: Jun 2000
From:

No, not much else really, seeing 5.04 was supposed to be the last build for a while...

Latest JTFE
plus a couple of other minor bugfixes

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Sep 2003
From: In the lab, overclocking hamsters

Ok.

And in an effort to spread some good news, I posted your temp fix/suggestion/etc(IE File Association tweak) on a few other forums(and that 5.05 would be somewhat soon to perma-fix)

__________________
K-Aus037 no longer on WA.com
K-Aus037 | K-AusBlue | K-Aus 038 | K-Aus Blou | K-Aus Error | K-Aus Black at DeviantArt
If at first you don't succeed, destroy all evidence you tried

Quick Link | Report this post to a moderator | IP: Logged

Registered: Sep 2000
From:

quote:

---

Originally posted by electricmime
though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added)

---

__________________

::Deviant Me::Last.fm::WhatPulse Stats::Folding @ Home

Quick Link | Report this post to a moderator | IP: Logged

Registered: Sep 2003
From: In the lab, overclocking hamsters

Hey, as long as it works

__________________
K-Aus037 no longer on WA.com
K-Aus037 | K-AusBlue | K-Aus 038 | K-Aus Blou | K-Aus Error | K-Aus Black at DeviantArt
If at first you don't succeed, destroy all evidence you tried

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2004
From:

quote:

---

Originally posted by dlinkwit27
Ya know, as long as they fix what can be exploited, I really don't give two shits what they call it. Maybe I'm just weird like that though.

---

__________________
There is no reset button on life... but the graphics kick ass

Quick Link | Report this post to a moderator | IP: Logged

Registered: May 2000
From: Hell

5.05 should be out some time today.

It includes the following, maybe more since i last looked:

1) skin exploit fix
2) wmv upside down video fixes
3) aacp streaming fixes (no, not mp4, sorry HA, its still planned)
4) latest jtfe.

It does not include:

1) mlipod
2) single UI skin.

[edit: updated as below]

__________________

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2002
From:

new version include SINGLE UI SKIN???? (i love it)

__________________
The universal god of light, love, wisdom and rok n rol

Quick Link | Report this post to a moderator | IP: Logged

Registered: Mar 2001
From: Sheffield, England

No. This, hopefully, will be in the ipod bundle. Which should be in just over a months time.

__________________
DO NOT PM ME WITH TECH SUPPORT QUESTIONS

Quick Link | Report this post to a moderator | IP: Logged