WINAMP 2.6x / 2.7x BUFFER OVERFLOW AFFECTED SYSTEMS Winamp 2.73 (full) Winamp 2.70 (full) Winamp 2.64 (standard) Winamp 2.62 (standard) Winamp 2.61 (full) Winamp 2.60 (full) Winamp 2.60 (lite) (haven't tested 2.74/2.72/2.71/2.65/... yet, but as you can guess, it's very likely that they're affected) IMMUNE SYSTEMS Winamp 2.5e Winamp 2.50 Winamp 2.24 Winamp 2.04 DESCRIPTION Winamp has a buffer overflow condition when parsing *.AIP files. (which are set to be automatically downloaded without user intervention, just like the *.M3U / *.PLS files) The bug can be reproduced by simply putting a lot of As (about 2100) in an *.AIP file and doubleclicking it. A sample *.AIP has been attached, I have zipped it up not to cause to much troubles with automatic downloading... The sample *.AIP will attempt to snatch the EIP and set it to 080808080h, it seems to work most of the time, but not always. Snatching the EIP seems to be the hardest part of writing an exploit for this bug. This buffer overflow could lead to a system compromise on a windows computer running winamp 2.7x / 2.6x either via a webpage or by sending an e-mail which opens a malicious *.AIP. VENDOR STATUS I've contacted Denzil Kriekenbeek of nullsoft <denzilat_private> notifying him about the buffer overflow condition. (the automatic feedback form on winamp.com didn't work, neither did supportat_private) SOLUTION Consider turning off automatic downloading of *.AIP files (also consider turning it off for *.M3U, *.PLS, *.WPZ, *.WSZ, ...), so that if a suspicious webpage or e-mail attempts to open *.AIP files with winamp, you can decide not to hit 'execute from current location'. greetz, [ByteRage] <byterageat_private> [www.byterage.cjb.net] __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 00:03:52 PDT