[NT] Winamp Web Interface Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Winamp Web Interface Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.flippet.org/wawi/> Winamp Web Interface (Wawi) is "a nice
open source plugin for Winamp which allows the remote administration of
the media player through any web browser". The Winamp Web Interface, WAWI
for short, has been found to contain multiple vulnerabilities that would
allow a remote attacker to overflow the internal buffers used by the
product and cause it to read arbitrary file and display them.

DETAILS

Vulnerable Systems:
* Winamp Web Interface version 7.5.13 and prior

Buffer-overflow in FindBasicAuth
FindBasicAuth() is the function located in security.cpp which parses the
Authorization HTTP field of the client's request. Basically this function
places, sequentially, the auth mode and base64 strings containing the
username:password fields in the temp buffer of only 100 bytes and then
decodes this string using the userpass buffer ever of 100 bytes. The
operation is made through the GetAString() function which limits the
strings at 255 chars.

Exploit:
http://localhost/browse then insert an username longer than 100
characters.

Browsing directory traversal
The Browse() function located in browse.cpp is used for showing the
available files in a specific folder within the root directory. The
function (as all the others in the program) checks the path received by
the client using the GoodPath() function which verifies if exist risks
caused by sequential dots and backslashes (like \..\).

The problem here is that slashes are correctly converted in backslashes
before the calling of this function but the hex slashes %2f aren't
allowing the browsing of any folder (files are limited by the extensions
specified in the configuration) in the disk where is located the root
directory.

As already said only browsing is possible, not downloading. The attacker
needs the "Browse" privilege for exploiting this bug.

Exploit:
http://localhost/browse?path=%2f..%2f..%2f

Buffer-overflow in the browse, download and load functions
The Browse(), CControl::Download() and CControl::Load() functions are
affected by some buffer-overflow caused by the creation of a string
containing the root directory plus the path string received from the
client using a buffer of only MAX_PATH bytes (260, the same size of the
client string).

The attacker needs the required privileges related to the function he
wants to exploit.

Exploit:
http://localhost/dl?file=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa

File extension check bypassing in file downloading
Wawi has also a check for allowing the dowloading of some types of files
by the users with the "Download" permission. In the "Music Collections"
section of the Wawi configuration we can find two switches for allowing
the viewing or the downloading of the Winamp files and all the others.

CControl::Download() calls the IsWinampFile() function for checking if the
requested filename is supported by Winamp and then allows the downloading
if the related option has been selected.

A dot after the requested filename will allow an attacker with the
"Download" privilege to download any file of any extension located in the
root directory.

Exploit:
http://localhost/dl?file=\file.txt.

Lucky path name
Any of the functions used for handling the files (like browsing, loading,
downloading and so on) requires a backslash before the path or file name,
like http://localhost/browse?path=\ If exists another folder or file which
begins with the same name of the root directory is possible to use it
instead of that of the configuration.

For example if the root directory is c:\folder and the attacker use
http://localhost/browse?path=2 he will browse c:\folder2 if it exists, or
he can also download the file c:\folder2.mp3 ever if it exists.

The required privileges (and the usual luck!) are needed for exploiting
this bug.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/wawix-adv.txt>
http://aluigi.altervista.org/adv/wawix-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages