Winamp 5.12 “play list file” 0day [PATCHED]

a vulnerability for winamp 5.12 was released today (full disclosure mode):
bugtraq

a specially crafted winamp play list file can be used for remote exploitation (i will never understand why such vulnerabilities are called remote).

“the current version of winamp contains an error in its playlist parsing allowing malicious users to execute code via a prepared playlist.”

the poc code suggest using an iframe on a web site linking to the specially crafted file as a possible attack vector.

most people don’t believe a worm is very likely, but i wouldn’t completely rule it out yet.

there are several reasons why a worm potentially could be riskier than the usual mass mailers we see:

1. how many organizations filter email attachments by eliminating known bads rather than allowing known goods? this is a (somewhat) new bad.

2. the social engineering effect should not be dismissed:
- people love clicking.. which we know.
- people get mp3′s in email often or at least not be surprised
when once in a blue moon they do.
- social engineering effect of the above two points is: hey! new
mp3! (i.e. cool mp3/winamp icon).

i wouldn’t rule it out so quickly… although…

some clients won’t show icons… nothing we haven’t seen before with mass mailers and something people may not bother with…

but it is more than a just a possibility and should be taken into account. after all, we have seen what a worm designed only to effect one brand of personal firewall did (witty, anyone?).

winamp vulnerabilities of the past have not been that successful for massive exploitation, though, so in my opinion all bets are still open on this one.

a simple way to avert this until a patch is available would be to remove (or change) the file associations for .pls and .m3u.

update from the winamp development team:
(thank keith!)

yes, we know about it and it’s already been fixed :-)

here is the patched in_mp3.dll for 5.12
http://www.winamp.com/in_mp3.dll

this url will be removed once a new client with this fix has been
released.

(place in_mp3.dll in the winamp\plugins folder)

there’ll be a 5.13 released shortly, which will be exactly the same as
5.12 but with the patched in_mp3 included.

there’ll be a separate patched in_mp3.dll included with the next public
release of 5.2 beta (http://forums.winamp.com/showthread.php?s=&threadid=236311), also
hopefully today.

gadi evron,
ge@beyondsecurity.com.

Share
  • Nox

    FrSIRT posted good workarounds :

    http://www.frsirt.com/english/advisories/2006/0361

    ..until a patch is available !

    Nox

  • http://www.BeyondSecurity.com noam

    Where exactly do you see in the link a workaround?

    Solution… The FrSIRT is not aware of any official supplied patch for this issue.

  • Nox

    probably removed as winamp released the fix.

    version 5.13 is now available from http://www.winamp.com/player/

    If all vendors patch their products as quickly as winamp, we will be in a perfect world :-)

    Nox

  • http://BeyondSecurity.com ido

    It nice to have a fix, but if most users would have been aware that they actually need to fix things, then the world would be better (but far from perfect).

  • tanuki

    What do you consider being user stupidity in this case?

  • nick_name

    “A specially crafted Winamp play list file can be used for remote exploitation (I will never understand why such vulnerabilities are called remote).”

    this is bcoz, a website can host a PLS file and browser upon receiving one will pass it to media player or winamp, which will trigger the vuln.