Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Winamp 5.x Remote Code Execution via Playlists SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Winamp 5.x Remote Code Execution via Playlists
While we're on the topic of audio software, there's a 0-day exploit out today for Winamp 5.12 that allows
remote code execution via a crafted playlist (.pls) file.  The proof-of-concept exploit suggests using an
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
Secunia's got a nice writeup of it here. 

Our friends over at FrSIRT have posted a workaround in their advisory on the issue:
To prevent opening malicious files automatically, FrSIRT recommends :

Disabling the "audio/scpls" and "audio/mpegurl" MIME Types in Internet Explorer by deleting or renaming the following registry keys :

And disassociating the "pls" and "m3u" file extensions in Windows :

- Launch Windows Explorer
- On the Tools Menu select "Folder Options"
- Select the "File Types" tab
- Scroll to find the PLS and M3U file extensions and then press the "Delete" button

21 Posts

Sign Up for Free or Log In to start participating in the conversation!