Winamp - Buffer Overflow In IN_CDDA.dll

From: Brett Moore (brett.moore_at_SECURITY-ASSESSMENT.COM)
Date: 11/23/04

  • Next message: Brett Moore: "SecureCRT - Remote Command Execution"
    Date:         Tue, 23 Nov 2004 13:14:13 +1300
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ========================================================================
    = Winamp - Buffer Overflow In IN_CDDA.dll
    =
    = Vendor Update:
    = http://www.winamp.com/player/
    =
    = Affected Software:
    = Winamp 5.05 (only version tested)
    =
    = Public disclosure on November 23, 2004
    ========================================================================

    == Overview ==

    In this time of responsible vulnerability disclosure, it's a little
    disturbing when a vendor acts on disclosed information but gives no
    recognition or even notification that an update has been created due to
    the information passed to them.

    This advisory is a little late, the update was posted to the vendor
    website last week. The only reason I know this, is because I asked and
    received a response.
    ------------------------------------------------------------------------

    hi brett

    the problem was fixed in the lastest [sic] release of winamp.
    version 5.06 went live on the site last thurday [sic].

    thanks

    jonathan ward

    ------------------------------------------------------------------------

    But enough of that, we know the game and still choose to play.

    We discovered a remotely exploitable stack based buffer overflow in
    winamp version 5.05. It is possible that earlier versions are also
    vulnerable and we recommend all users to upgrade to the latest version.

    The overflow can be caused in various ways, the most dangerous though is
    through a malformed .m3u playlist file. When hosted on a web site, these
    files will automatically downloaded and open in winamp without any user
    interaction. This is enough to cause the overflow that would allow a
    malicious playlist to overwrite EIP and execute arbitrary code.

    == Exploitation ==

    When winamp opens the malformed playlist file, a first exception will
    occur:

    First Chance Exception in winamp.exe (IN_CDDA.DLL) : Access Violation
    At this location
    00A49BE8 88 4C 04 30 mov byte ptr [esp+eax+30h],cl

    This exception will be handled by winamp, and execution will then
    continue until it reaches the second exception at this location
    61616161 ???

    with the registers looking like;
    EAX = 0012A5D8 EBX = 0012C024
    ECX = 61616161 EDX = 77F96DAE
    ESI = 0012A600 EDI = 0046B9E0
    EIP = 61616161 ESP = 0012A540
    EBP = 0012A560 EFL = 00210246

    As can be seen, EIP has been overwritten with a value supplied through
    the malformed playlist file, 0x61616161 (aaaa) and since more playlist
    supplied data is located at the address pointed to by EDI, execution of
    malicious code is possible.

    == Solutions ==

    - Install the vendor supplied patch.

    == Credit ==

    Discovered and advised to Nullsoft October 14, 2004 by Brett Moore of
    Security-Assessment.com

    == About Security-Assessment.com ==

    Security-Assessment.com is a leader in intrusion testing and security
    code review, and leads the world with SA-ISO, online ISO17799 compliance
    management solution. Security-Assessment.com is committed to security
    research and development, and its team have previously identified a
    number of vulnerabilities in public and private software vendors products.

    ######################################################################
    CONFIDENTIALITY NOTICE:

    This message and any attachment(s) are confidential and proprietary.
    They may also be privileged or otherwise protected from disclosure. If
    you are not the intended recipient, advise the sender and delete this
    message and any attachment from your system. If you are not the
    intended recipient, you are not authorised to use or copy this message
    or attachment or disclose the contents to any other person. Views
    expressed are not necessarily endorsed by Security-Assessment.com
    Limited. Please note that this communication does not designate an
    information system for the purposes of the New Zealand Electronic
    Transactions Act 2003.
    ######################################################################

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: Brett Moore: "SecureCRT - Remote Command Execution"

    Relevant Pages

    • Winamp - Buffer Overflow In IN_CDDA.dll
      ... = Winamp - Buffer Overflow In IN_CDDA.dll ... In this time of responsible vulnerability disclosure, ... disturbing when a vendor acts on disclosed information but gives no ... We discovered a remotely exploitable stack based buffer overflow in ...
      (Vuln-Dev)
    • Winamp - Buffer Overflow In IN_CDDA.dll
      ... = Winamp - Buffer Overflow In IN_CDDA.dll ... In this time of responsible vulnerability disclosure, ... disturbing when a vendor acts on disclosed information but gives no ... We discovered a remotely exploitable stack based buffer overflow in ...
      (Bugtraq)
    • [Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll
      ... = Winamp - Buffer Overflow In IN_CDDA.dll ... In this time of responsible vulnerability disclosure, ... disturbing when a vendor acts on disclosed information but gives no ... We discovered a remotely exploitable stack based buffer overflow in ...
      (Full-Disclosure)
    • Re: Winamp - Buffer Overflow In IN_CDDA.dll
      ... >disturbing when a vendor acts on disclosed information but gives no ... >winamp version 5.05. ... >When winamp opens the malformed playlist file, a first exception will ... >They may also be privileged or otherwise protected from disclosure. ...
      (Bugtraq)
    • Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
      ... = Winamp - Buffer Overflow In IN_CDDA.dll ... It appears that the 'patched' version 5.05 does NOT fix the buffer overflow ... They may also be privileged or otherwise protected from disclosure. ... $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars ...
      (NT-Bugtraq)