Winamp bug leaves back door open

Security hole leaves potential opening for Trojan horses, viruses, or other forms of malicious code

A flaw in an early version of the popular MP3 program Winamp allows malicious code to be remotely executed on a victim's computer, according developers' mailing list BugTraq.

Steve Fewer of US-based Babylon Security posted an advisory to BugTraq Sunday explaining that a stack based buffer overflow in Winamp can be exploited in order to execute arbitrary code on a user's computer. This potentially leaves a hole for Trojan horses, viruses, or other forms of malicious code to make their way onto a user's PC.

The exploit only affects Winamp 2.10, a relatively early version of the very successful MP3 ripper and player, and only works on computers running Windows. But it nevertheless provides a significant back door into many computers worldwide.

According to Fewer, the buffer overflow occurs when a large amount of data is read in from a .pls file. These are "playlist" files often exchanged between Winamp users, making them a convenient way in for a cracker. As Fewer notes, "This is unnerving as it is a feasible plan to trade playlists on IRC during an MP3 trading session with someone."

Andrew Cormack, head of Janet Security CERT (Computer Emergencies Response Team) confirms that this appears to be a serious security hole. "It looks like it allows you to upload any program, then it is down to how good the security is between different users. On Windows 95 there isn't any, and on NT there is. But I don't know whether Winamp has any extra permissions."

Cormack explains that this exploit does however require a certain amount of complicity on the part of the user adding, "What it is saying is that it can be exploited by convincing someone to download and install a playlist. It's in the same category as viruses in this sense." He said a simple solution to the problem would be not to download and run unknown playlists.

Winamp is a freeware application produced by the Nullsoft development team. No information about this exploit has yet been posted to the Winamp/Nullsoft Web site and BugTraq reports that it is not aware of any software patch to remedy it.

Nullsoft was not available for comment.

What do you think? Tell the Mailroom. And read what others have said.

For news, reviews, MP3 nuggets and more, see the new MP3 Newsroom.

Take me to the Hackers News Special