Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit

2010-08-26T00:00:00
ID ZSL-2010-4958
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-08-26T00:00:00

Description

Title: Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4958
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010

Summary

Winamp is a media player for Windows-based PCs, written by Nullsoft, now a subsidiary of AOL. It is proprietary freeware/shareware, multi-format, extensible with plug-ins and skins, and is noted for its graphical sound visualization, playlist, and media library features.

Description

Winamp 5.581 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .669, .aac, .aiff, .amf, .au, .avr, .b4s, .caf and .cda thru wnaspi32.dll and dwmapi.dll libraries.

Vendor

Nullsoft - <http://www.winamp.com>

Affected Version

5.581 (x86)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

winamp_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/14789>
[2] <http://www.packetstormsecurity.org/filedesc/winamp_dll.txt.html>
[3] <http://securityreason.com/exploitalert/8771>
[4] <http://www.vupen.com/english/advisories/2010/2195>
[5] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[6] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[7] <http://osvdb.org/show/osvdb/67532>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3137>
[9] <http://www.securityfocus.com/bid/42747>
[10] <https://hacking-etico.com/2015/07/15/dll-hijacking-comprobando-la-vulnerabilidad/#more-4581>

Changelog

[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4], [5] and [6]
[28.08.2010] - Added reference [7]
[31.08.2010] - Added reference [8]
[02.09.2010] - Added reference [9]
[13.01.2018] - Added reference [10]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;