Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Winamp 5.x Remote Code Execution via Playlists SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Winamp 5.x Remote Code Execution via Playlists
While we're on the topic of audio software, there's a 0-day exploit out today for Winamp 5.12 that allows
remote code execution via a crafted playlist (.pls) file.  The proof-of-concept exploit suggests using an
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
Secunia's got a nice writeup of it here. 

Our friends over at FrSIRT have posted a workaround in their advisory on the issue:
To prevent opening malicious files automatically, FrSIRT recommends :

Disabling the "audio/scpls" and "audio/mpegurl" MIME Types in Internet Explorer by deleting or renaming the following registry keys :

And disassociating the "pls" and "m3u" file extensions in Windows :

- Launch Windows Explorer
- On the Tools Menu select "Folder Options"
- Select the "File Types" tab
- Scroll to find the PLS and M3U file extensions and then press the "Delete" button

21 Posts
Jan 30th 2006

Sign Up for Free or Log In to start participating in the conversation!