WinAmp v.3.0: buffer overflow

From: D4rkGr3y (grey_1999@mail.ru)
Date: 01/04/03

  • Next message: Owen Dunn: "Re: [IPS] PUTTY SSH-Client Exploit"
    Date: Sat, 4 Jan 2003 05:00:47 -0800
    From: D4rkGr3y <grey_1999@mail.ru>
    To: bugtraq@securityfocus.com, submissions@packetstormsecurity.com, vulnwatch@vulnwatch.org
    
    

    #####################################################*
    # Damage Hacking Group security advisory
    # www.dhgroup.org
    #####################################################*
    #Product: WinAmp v.3.0 final (not beta :)) bld #488
    #Authors: NullSoft, Inc. [www.winamp.com]
    #Vulnerable versions: up to v.3.0
    #Not vulnerable: all that doesn't support b4s-lists
    #Vulnerability: buffer overflow (& code execution)
    #####################################################*

    #Overview#--------------------------------------------------------------#
    IMHO, this is the most popular media player under win32-platforms.

    #Problem#---------------------------------------------------------------#
    First, what is b4s?
    WinAmp allows u to save your mp3-list to *.b4s-files. This is something
    like *.m3u-lists, but b4s uses XML for it's work. Here is example of one
    b4s-file (# - comments):

    <?xml version="1.0" encoding='UTF-8' standalone="yes"?>
    <WinampXML>
    <!-- Generated by: Nullsoft Winamp3 version 3.0 -->
    <playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1)

    #first entry
    <entry Playstring="file:[patch_to_file]"> #(2)
    <Name>[name_of_the_song]</Name>
    <Length>[file_size_in_byts]</Lengt>
    </entry>
    #end of first entry

    </playlist>
    </WinampXML>

    Now, lets talk about bugs.
    (1) if [playlist_name] will be longer then 16580b, ecx, esi and retaddr(!!)
    will be overwriten at addr 0x1007C340. So it's possible to execute
    arbitrary code with user's permisson.
    (2) buffer overflow in [patch_to_file]. I don't parse this problem,
    but I realy think, that it's very serious too.
    (3) DoS. If [playlist_name] will include some cyrilic (imho, any none
    English) letters, WinAmp will be crashed.
    (4) DOS Device bug. If [patch_to_file] will be "file:aux", WinAmp will
    be freezed.

    #Fix#--------------------------------------------------------------------#
    Use m3u-lists :) & wait for new versions of WinAmp.

    #Exploit#----------------------------------------------------------------#
    Sorry, xsploit is private.
    #EOF

    Best regards www.dhgroup.org
      D4rkGr3y icq 540981



    Relevant Pages