[NT] Multiple Exploitable Buffer Overflows in Winamp

• Previous message: support@securiteam.com: "[NT] TYPSoft FTP Server Directory Traversal Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 19 Dec 2002 17:32:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Multiple Exploitable Buffer Overflows in Winamp
------------------------------------------------------------------------

SUMMARY

One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two
buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81
overflow is with the handling of the Artist ID3v2 tag upon immediate
loading of an MP3. The two Winamp 3.0 overflows are present in Media
Library's handling of the Artist and Album ID3v2 tags.

DETAILS

Vulnerable systems:
 * Winamp 3.0
 * Winamp 2.81

Winamp 2.81 Overflow
If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will
crash yielding privileges immediately upon loading the MP3.

Two Winamp 3.0 Media Library Overflows
If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist and
Album fields of the ID3v2 tag are displayed within the Media Library
window of Winamp3. An attacker could create a malicious MP3 file, that if
loaded via the Media Library window, would compromise the system and allow
for remote code execution.

An attacker could create a malicious MP3 file that exploits either the
overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For
either overflow to occur, the user has to attempt to load the MP3 file
from the Media Library by at least single clicking on either the MP3 via
the Artist or Album window.

Vendor Response:
Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and
both are available at: <http://www.winamp.com> http://www.winamp.com

Foundstone would like to thank Nullsoft for their cooperation with the
remediation of this vulnerability.

Solution:
For Winamp 2.81 users
We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81
(which has since been fixed) from: <http://www.winamp.com>
http://www.winamp.com

For Winamp 3.0 users
Only Winamp 3.0 build #488 built on December 15, 2002 and later are not
vulnerable. We recommend if the About Winamp3 dialog box within Winamp 3.0
displays a 3.0 release that has a lower build number than 488 or earlier
date than Dec 15 2002, we recommend redownloading Winamp 3.0 from:
<http://www.winamp.com> http://www.winamp.com

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 
<http://www.foundstone.com/knowledge/randd-advisories-display.html?id=338>
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=338

The information has been provided by <mailto:tony.bettini@foundstone.com>
Tony Bettini, Foundstone.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NT] Exploitable Windows XP Media Files"
• Previous message: support@securiteam.com: "[NT] TYPSoft FTP Server Directory Traversal Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]