Winamp 5.12 “play list file” 0day [PATCHED]
a vulnerability for winamp 5.12 was released today (full disclosure mode):
a specially crafted winamp play list file can be used for remote exploitation (i will never understand why such vulnerabilities are called remote).
“the current version of winamp contains an error in its playlist parsing allowing malicious users to execute code via a prepared playlist.”
the poc code suggest using an iframe on a web site linking to the specially crafted file as a possible attack vector.
most people don’t believe a worm is very likely, but i wouldn’t completely rule it out yet.
there are several reasons why a worm potentially could be riskier than the usual mass mailers we see:
1. how many organizations filter email attachments by eliminating known bads rather than allowing known goods? this is a (somewhat) new bad.
2. the social engineering effect should not be dismissed:
- people love clicking.. which we know.
- people get mp3′s in email often or at least not be surprised
when once in a blue moon they do.
- social engineering effect of the above two points is: hey! new
mp3! (i.e. cool mp3/winamp icon).
i wouldn’t rule it out so quickly… although…
some clients won’t show icons… nothing we haven’t seen before with mass mailers and something people may not bother with…
but it is more than a just a possibility and should be taken into account. after all, we have seen what a worm designed only to effect one brand of personal firewall did (witty, anyone?).
winamp vulnerabilities of the past have not been that successful for massive exploitation, though, so in my opinion all bets are still open on this one.
a simple way to avert this until a patch is available would be to remove (or change) the file associations for .pls and .m3u.
update from the winamp development team:
yes, we know about it and it’s already been fixed
here is the patched in_mp3.dll for 5.12
this url will be removed once a new client with this fix has been
(place in_mp3.dll in the winamp\plugins folder)
there’ll be a 5.13 released shortly, which will be exactly the same as
5.12 but with the patched in_mp3 included.
there’ll be a separate patched in_mp3.dll included with the next public
release of 5.2 beta (http://forums.winamp.com/showthread.php?s=&threadid=236311), also