Go Back   Winamp & SHOUTcast Forums > Winamp > Winamp Discussion

Reply
Thread Tools Search this Thread Display Modes
Old 21st August 2004, 22:28   #1
DaWolfey
Junior Member
 
Join Date: Aug 2004
Posts: 18
Winamp skin exploit. Being used as a vector for infection

Hi

I've just seen a new worm spreading across IRC. Clicking a link sends you a winamp skin file, it appears to change your skin then (if you are using mirc) it adds a new script which sends the link to other people.

Here is the link - I have obfuscated it slightly to prevent accidental clickage. To use it, remove all the *s from the url.

[edit -> egg] Link removed [/edit]

I hope the winamp team can analyse this, and if it IS causing infection, can resolve it quickly.

Last edited by DJ Egg; 26th August 2004 at 23:23.
DaWolfey is offline   Reply With Quote
Old 21st August 2004, 22:37   #2
DaWolfey
Junior Member
 
Join Date: Aug 2004
Posts: 18
If the above link stops working, I have downloaded the files that it sends.
DaWolfey is offline   Reply With Quote
Old 21st August 2004, 22:55   #3
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
/moved from Tech Support to Discussion

Here's the link...
copy+paste/use at one's own risk:

[edit -> egg] link removed [/edit]

Yeah, it calls a php script which loads a .wsz file, which contains a worm. Dodgy shit!

Last edited by DJ Egg; 26th August 2004 at 23:22.
DJ Egg is offline   Reply With Quote
Old 21st August 2004, 22:57   #4
mikm
Major Dude
 
mikm's Avatar
 
Join Date: May 2001
Location: somewhere else
Posts: 1,252
Hmmm....it doesn't appear to be a valid appliaction or skin (i.e. cannot be uncompressed).

powered by C₂H₅OH
mikm is offline   Reply With Quote
Old 21st August 2004, 23:06   #5
DaWolfey
Junior Member
 
Join Date: Aug 2004
Posts: 18
[edit steve] Removed to reduce impact of exploit. Fix is underway. [/edit]
DaWolfey is offline   Reply With Quote
Old 21st August 2004, 23:42   #6
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
That's just a really cunning way of circumventing IE's zone restrictions. Not really sure whose fault it is.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 22nd August 2004, 04:38   #7
shaneh
Major Dude
 
Join Date: Jan 2004
Location: Brisbane, Australia
Posts: 1,193
Yeah it is kindof an exploit in IE.. I am not sure if SP2 fixes this problem. However, I think it is a bit of an exploit on behalf of Winamp in that it allows all files contained within a .zip file to be copied to the local machine to a predictable location without prompts. This could be exploited in quite a number of ways...

Just restricting .exes wont fix it either, as .htas, .js, .bat etc could be abused too. Even .htm files can be dangerous when run from the local machine.

EDIT: I realised it doesnt put it in a predictable location, as it is extracted to a random temp directory. But nonetheless, downloading and saving arbritrary files to the local machine without prompting is not a terribly good idea.

As for below: You cannot inspect a .wsz file before it is downloaded and used. IE automatically downloads it and sends it to Winamp without any prompts, which then automatically extracts it and 'executes' it.

Last edited by shaneh; 22nd August 2004 at 06:56.
shaneh is offline   Reply With Quote
Old 22nd August 2004, 05:52   #8
k_rock923
\m/
(Forum King)
 
k_rock923's Avatar
 
Join Date: Jul 2003
Location: /bin/bash
Posts: 7,848
Send a message via AIM to k_rock923
Wouldn't someone notice that there's an xml file in a .wsz??

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
k_rock923 is offline   Reply With Quote
Old 22nd August 2004, 08:40   #9
Wildrose-Wally
The Albertan
 
Wildrose-Wally's Avatar
 
Join Date: Mar 2001
Location: Sunny Southern Alberta
Posts: 6,113
Quote:
Originally posted by k_rock923
Wouldn't someone notice that there's an xml file in a .wsz??
It would not matter if is was a .wal or a .wsz file, nobody would notice, unless they opened the file in winzip, or checked the temp folder where the skin is extracted to.
(In a .wal file there are supposed to be .xml files anyway.)

I don't think many users actually do this, unless they are skin reviewers.
Wildrose-Wally is offline   Reply With Quote
Old 22nd August 2004, 16:16   #10
k_rock923
\m/
(Forum King)
 
k_rock923's Avatar
 
Join Date: Jul 2003
Location: /bin/bash
Posts: 7,848
Send a message via AIM to k_rock923
Good point, wally. I only open the files of skins that I want to see how something was done. I know there are xmls in modern skins. I guess that's what I kind of meant. Oh well.

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
k_rock923 is offline   Reply With Quote
Old 23rd August 2004, 02:06   #11
Kickboy12
Senior Member
 
Join Date: Oct 2003
Location: Bay Area, California
Posts: 242
Send a message via ICQ to Kickboy12 Send a message via AIM to Kickboy12 Send a message via Yahoo to Kickboy12
This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

[@imho] man
[@imho] I had dreams about unit testing last night :-(
[@sim`a] i have nightmares about syntax errors, whats your point
Kickboy12 is offline   Reply With Quote
Old 26th August 2004, 01:12   #12
cerebri
Junior Member
 
cerebri's Avatar
 
Join Date: Aug 2004
Location: Sweden
Posts: 3
This was one nasty little worm.
"Luckly" i found the source of it.. if your would like to check it out it can be found here

[edit -> egg] link removed [/edit]
download it on your own risc.


Hope this can help you ppl in some way...

Last edited by DJ Egg; 26th August 2004 at 23:26.
cerebri is offline   Reply With Quote
Old 26th August 2004, 01:18   #13
Franky752
Junior Member
 
Join Date: Aug 2004
Posts: 1
advisory

Here is the exploit used : Winamp <=5.04 Skin File (.wsz) Remote Code Execution Exploit

[edit --> egg] link removed [/edit]

and here is the advisory

http://secunia.com/advisories/12381/

and where is the patch ?

Last edited by DJ Egg; 26th August 2004 at 23:29.
Franky752 is offline   Reply With Quote
Old 26th August 2004, 01:48   #14
morgado
Major Dude
 
morgado's Avatar
 
Join Date: Apr 2003
Location: away from my baby
Posts: 1,097
Send a message via ICQ to morgado
Relax ... just don't download skins for now and wait for 5.05 ...

I Love You Ana Luiza
MSN
morgado is offline   Reply With Quote
Old 26th August 2004, 01:58   #15
cerebri
Junior Member
 
cerebri's Avatar
 
Join Date: Aug 2004
Location: Sweden
Posts: 3
and when will that be? :P
cerebri is offline   Reply With Quote
Old 26th August 2004, 04:50   #16
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
It's not a case of 'not downloading skins'.
You're safe if you download skins from any of:
winamp.com, deviantart.com, 1001winampskins, skins.org, deskmod, etc etc...
You'll probably be safe if you knowingly download any wsz or wal file.
It's when the url is a seemingly unsuspicious link to a .php or .jpg that you've got to worry, because that's currently how the exploit is utilized.

The best thing you could do right now is:
WinME/2k/XP > Windows Folder Options > File Types tab > WSZ > Advanced:
Checkmark: "Confirm open after download"

Repeat for WAL

(Note: Under Win9x, it's 'Edit' instead of 'Advanced')

This will now make Internet Explorer ask if you want to open or save WAL & WSZ files.
Naturally, if you clicked on a link to a jpg or php (or any other extension other than wal or wsz) then you've probably come across the exploit (so it'd probably be wise to click 'Cancel').


For other browsers, you'll need to go into the browser config and change the setting accordingly, eg. for Firefox:

Tools > Options > Downloads tab:
WSZ / WAL > Change Action:
Checkmark: "Save to Disk" (instead of Open...)

Firefox will now prompt you instead of automatically downloading & executing skin files.
DJ Egg is offline   Reply With Quote
Old 26th August 2004, 07:16   #17
will
Nullsoft Newbie (Moderator)
 
will's Avatar
 
Join Date: Mar 2001
Location: Sheffield, England
Posts: 5,568
This issue is fixed for the next version of winamp.

DO NOT PM ME WITH TECH SUPPORT QUESTIONS
will is offline   Reply With Quote
Old 26th August 2004, 09:23   #18
cerebri
Junior Member
 
cerebri's Avatar
 
Join Date: Aug 2004
Location: Sweden
Posts: 3
does anyone know what exacly the flie in this exploit (1.exe) does? besides installing that mirc-script (or is that everything?)

im starting to get real paranoid here ;-)

EDIT : Found also this for those of you who got infected.
http://trojanscan.quakenet.org/?139
cerebri is offline   Reply With Quote
Old 26th August 2004, 11:26   #19
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
Yup. Looks like we'll be getting a 5.05 sooner than we expected...

Basically, we need to shut a few people up
Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files.
DJ Egg is offline   Reply With Quote
Old 26th August 2004, 11:31   #20
electricmime
Major Dude
 
Join Date: Mar 2004
Posts: 991
though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added)

There is no reset button on life... but the graphics kick ass
electricmime is offline   Reply With Quote
Old 26th August 2004, 11:49   #21
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
maybe...
DJ Egg is offline   Reply With Quote
Old 26th August 2004, 11:49   #22
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,438
there was talk of some additional updates being included (like the bundling of ml_ipod), but i dont believe these will be included since this is more of a rush-to-fix than a release, yeah, i'd have probably marked it up as a 5.04x than a 5.05, but so be it.

CraigF is offline   Reply With Quote
Old 26th August 2004, 12:15   #23
shaneh
Major Dude
 
Join Date: Jan 2004
Location: Brisbane, Australia
Posts: 1,193
...Executable files (exe, scr, bat, pif, com, etc) will no longer be able to run from within wal/wsz skin files...


I hope they dont just scan the file for .exes etc as the only security measure. There are many different executable types aside from .exes and .bats etc, its unlikley they could catch them all.

Even if they did, it wont stop a .htm file executing an existing file (such as c:\windows\calc.exe or a ftp server or something).

Even if they stopped it executing stuff, running arbitrary files in the .htm zone is a security problem - you could for example have a frame which loads up a local file and read it and send it off to a remote site.

Winamp needs to set the secrity permissions for the web browser object to not allow scripting and various other restrictions.

Ive been looking into this stuff myself a bit lately, and have my name attributed to a couple MS security bulletins with IE so I know what Im talking about
shaneh is offline   Reply With Quote
Old 26th August 2004, 12:30   #24
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,438
while i have discussed the same with the previous developers, the general concensus is that you are simply working around the fact that IE is insecure in itself. You are also preventing much of what the <browser> tag was originally included for.

Classic skin files will only unzip those extensions it knows it requires, and are safe. I havent had time to look at the fix included within 5.05, but I do not assume this to be the same, and rather, as you have pointed out, just a "dont unzip this known BAD filetype". So with that regard, I agree with you. It would be far better to actually only unzip known safe files, than to unzip the other way around (assuming this isnt the case).

CraigF is offline   Reply With Quote
Old 26th August 2004, 12:57   #25
shaneh
Major Dude
 
Join Date: Jan 2004
Location: Brisbane, Australia
Posts: 1,193
The main issue here is the fact that HTML effectively taken from the 'Internet' zone is being rendered in the 'Local Machine' zone (or whatever permissions Winamp gives the web browser object).

HTML is unfortuantly not safe when run locally, when you start including ActiveX and other scripting. (eg the example I gave of being able to read local files and send them off to a remote server - does not require .exes or special permissions).

I think the real fix is to simply change the mindset of how safe a skin is. If you want 'safe' skins, perhaps they could use a different extension and not allow the 'browser' object. These could be installed without prompt, whereas skins that do allow the browser object should use a different extension and IE should not download such files automatically.

Otherwise, the web browser object should be locked down hard, ie treated in the same way files opened from the 'Temporary Internet Files' directory is in IE - (treated as though they are running in the Internet Zone). This is quite difficult to do well though, but can be done.
shaneh is offline   Reply With Quote
Old 26th August 2004, 13:16   #26
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
The best way would be for the browser object to have a way to specify the default security zone for everything it opens. But that would be easy.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 26th August 2004, 13:23   #27
shaneh
Major Dude
 
Join Date: Jan 2004
Location: Brisbane, Australia
Posts: 1,193
Cant you just implement the "IInternetSecurityManager:" interface? It lets you map urls to zones, process url actions etc.
shaneh is offline   Reply With Quote
Old 26th August 2004, 13:30   #28
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
I dunno, I've never touched the IE browser object . Nor do I plan to.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 26th August 2004, 13:39   #29
shaneh
Major Dude
 
Join Date: Jan 2004
Location: Brisbane, Australia
Posts: 1,193
Oh, I thought you were suggesting that there was no such way of doing that. I admit it isn't that simple though, but it does allow a fair bit of flexibility AFAIK.
shaneh is offline   Reply With Quote
Old 26th August 2004, 16:09   #30
inthegray
Major Dude
 
inthegray's Avatar
 
Join Date: Sep 2003
Posts: 704
Send a message via AIM to inthegray
i put up a friendly summary on all the information i've gathered regarding the exploit, on winamp unlimited. feel free to point out any inaccuracies you see.
inthegray is offline   Reply With Quote
Old 27th August 2004, 03:21   #31
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
Thread temporarily locked, moved backstage and edited by admin/mods.
Thread now open again...

All direct links to working examples of the exploit will be removed, so don't bother posting any.

And as already stated, 5.05 fixes this issue and will be available shortly...

Basically, you'll now be prompted before installing any new skin
and only files on a known safelist will be extracted.
DJ Egg is offline   Reply With Quote
Old 27th August 2004, 04:11   #32
Kyllian
Member
 
Kyllian's Avatar
 
Join Date: Sep 2003
Location: In the lab, overclocking hamsters
Posts: 78
S'pose you could tell us what else will be fixed/changed in 5.05?

Kyllian is offline   Reply With Quote
Old 27th August 2004, 04:27   #33
DJ Egg
Techorator
Winamp Team
 
Join Date: Jun 2000
Posts: 35,509
No, not much else really, seeing 5.04 was supposed to be the last build for a while...

Latest JTFE
plus a couple of other minor bugfixes
DJ Egg is offline   Reply With Quote
Old 27th August 2004, 04:32   #34
Kyllian
Member
 
Kyllian's Avatar
 
Join Date: Sep 2003
Location: In the lab, overclocking hamsters
Posts: 78
Ok.

And in an effort to spread some good news, I posted your temp fix/suggestion/etc(IE File Association tweak) on a few other forums(and that 5.05 would be somewhat soon to perma-fix)

Kyllian is offline   Reply With Quote
Old 27th August 2004, 06:27   #35
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,232
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
Quote:
Originally posted by electricmime
though... isnt 5.05 a little much for one bug...? wouldnt a 5.04a(or b or whatever) be used instead?

or is there going to be something else added (or at least is there supposed to be something else added)
Ya know, as long as they fix what can be exploited, I really don't give two shits what they call it. Maybe I'm just weird like that though.
dlinkwit27 is offline   Reply With Quote
Old 27th August 2004, 07:15   #36
Kyllian
Member
 
Kyllian's Avatar
 
Join Date: Sep 2003
Location: In the lab, overclocking hamsters
Posts: 78
Hey, as long as it works

Kyllian is offline   Reply With Quote
Old 27th August 2004, 07:45   #37
electricmime
Major Dude
 
Join Date: Mar 2004
Posts: 991
Quote:
Originally posted by dlinkwit27
Ya know, as long as they fix what can be exploited, I really don't give two shits what they call it. Maybe I'm just weird like that though.

i wasnt criticizing what they called it, i was asking if they knew of more things being added, because in the past, havent bug fixes been titled with a's and b's.. though this is a pretty big exploit, so maybe they are doing a 5.05 to show and advertise an upgraded, fixed version(compared to the sub-letters which probably wouldnt get as much attention by those not already aware of the exploit)

There is no reset button on life... but the graphics kick ass
electricmime is offline   Reply With Quote
Old 27th August 2004, 09:36   #38
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,438
5.05 should be out some time today.

It includes the following, maybe more since i last looked:

1) skin exploit fix
2) wmv upside down video fixes
3) aacp streaming fixes (no, not mp4, sorry HA, its still planned)
4) latest jtfe.

It does not include:

1) mlipod
2) single UI skin.

[edit: updated as below]

CraigF is offline   Reply With Quote
Old 27th August 2004, 10:17   #39
Cianca
Senior Member
 
Join Date: Mar 2002
Posts: 336
new version include SINGLE UI SKIN???? (i love it)

The universal god of light, love, wisdom and rok n rol
Cianca is offline   Reply With Quote
Old 27th August 2004, 11:03   #40
will
Nullsoft Newbie (Moderator)
 
will's Avatar
 
Join Date: Mar 2001
Location: Sheffield, England
Posts: 5,568
No. This, hopefully, will be in the ipod bundle. Which should be in just over a months time.

DO NOT PM ME WITH TECH SUPPORT QUESTIONS
will is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Winamp > Winamp Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump