Today I was poking around the source of Xine, the well-known media player. During the course of this poking I spotted that Xine has skin support - something I've been blissfully ignorant of for many years.
How do these skins work? You bring up the skin-browser, by default this is achieved by pressing "Ctrl-d". The browser will show you previews of the skins available, and allow you to install them.
How does Xine know what skins are available? It downloads the contents of:
NOTE: This is an insecure URL.
The downloaded file is a simple XML thing, containing references to both preview-images and download locations.
For example the theme "Sunset" has the following details:
- Download link: http://xine.sourceforge.net/skins/Sunset.tar.gz
- Preview link: http://xine.sourceforge.net/skins/Sunset.png
if you choose to install the skin the Sunset.tar.gz file is downloaded, via HTTP, extracted, and the shell-script doinst.sh is executed, if present.
So if you control DNS on your LAN you can execute arbitrary commands if you persuade a victim to download your "corporate xine theme".
Probably a low-risk attack, but still a surprise.