[NT] Nullsoft Winamp 'in_mod.dll' Heap Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 04/08/04

  • Next message: SecuriTeam: "[NEWS] REAL One Player R3T File Format Stack Overflow" 
    To: list@securiteam.com
Date: 8 Apr 2004 11:29:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Nullsoft Winamp 'in_mod.dll' Heap Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Winamp is "one of the world's most popular pieces of software for playing
    digital media. It supports in excess of 30 file types and boasts a huge
    dedicated community backing it with almost 20,000 skins and over 461
    additional components. To date CNET's download.com alone reports more than
    31,000,000 downloads of Winamp versions 2.91 to 5.02". A vulnerability in
    the product allows remote attackers to cause the program to execute
    arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Nullsoft Winamp versions 2.91 to 5.02

    Immune Systems:
     * Nullsoft Winamp version 5.03 or newer

    Due to a lack of boundary checking within the code responsible for loading
    Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in
    'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap
    memory and reliably cause an access violation within the
    ntdll.RtlAllocateHeap() function. When properly exploited this allows an
    attacker to write any value to a memory location of their choosing. In
    doing so, the attacker can gain control of winamp's flow of execution to
    run arbitrary code. This code will run in the security context of the
    logged on user.

    NGSS researchers have proven that code execution is possible and that the
    malicious media file can be activated remotely simply by rendering a
    specially crafted html document.

    It has also been discovered that the malicious file does not necessarily
    need to bear the extension '.xm'. This is due to the fact that
    'in_mod.dll' will automatically determine which type of mod media file has
    been opened by performing certain tests on the file before attempting to
    load it. The testing is performed by passing the file through all the
    available loaders to see if one is able to handle it.

    As a result of this the malicious file can have the extension of any of
    the supported module file types associated with the loaders in
    'in_mod.dll' and still produce the same effect.

    Fix Information:
    Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses
    the security issue discussed in this advisory. It can be obtained the
    official website: <http://www.winamp.com/player/>
    http://www.winamp.com/player/

    To determine which version of Winamp you are currently using, load the
    player, right-click the main window and select the top-most menu item,
    'Nullsoft Winamp...'.

    In the new window which loads make sure that the 'Winamp' tab is selected
    and look for the copyright information, underneath this should be the
    version information.

    If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or
    older, it is highly recommended that you update as soon as possible.

    If for some reason it is impossible to download the updated version of
    Winamp, the vendor has informed NGSS that it is possible to disable the
    handling of Fasttracker 2 module files by taking the following steps:
    1. Right click the Winamp player, go to 'Options' and then to
    'Preferences...'.

    2. In the new window that loads, go to 'Plug-ins' and 'Input'.

    3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
    click it to bring up the 'Nullsoft Module Decoder Preferences' window.

    4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox
    to the right of the loaders list.

    5. Close all of the option windows and return to the main player.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:peter@ngssoftware.com> Peter
    Winter-Smith.

    The original article can be found at:
    <http://www.ngssoftware.com/advisories/winampheap.txt>
    http://www.ngssoftware.com/advisories/winampheap.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] REAL One Player R3T File Format Stack Overflow"

    Relevant Pages