David Mirza Ahmad
Symantec
0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
---------- Forwarded message ----------
----------------------------------------------------------------------
Foundstone Research Labs Advisory - FS2002-10
Advisory Name: Multiple Exploitable Buffer Overflows in Winamp
Release Date: December 18, 2002
Application: Winamp 3.0 and Winamp 2.81
Platforms: Windows NT/2000/XP
Severity: Remote code execution
Vendors: Nullsoft (http://www.nullsoft.com)
Authors: Tony Bettini, Foundstone (tony.bettiniat_private)
CVE Candidate: CAN-2002-1176
CAN-2002-1177
Reference: http://www.foundstone.com/advisories
----------------------------------------------------------------------
Overview:
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two
buffer overflows exist in Winamp 3.0 (latest 3.x release). The
Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon
immediate loading of an MP3. The two Winamp 3.0 overflows are present
in Media Library's handling of the Artist and Album ID3v2 tags.
Detailed Description:
Winamp 2.81 Overflow
If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will
crash yielding privileges immediately upon loading the MP3.
Two Winamp 3.0 Media Library Overflows
If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist
and Album fields of the ID3v2 tag are displayed within the Media
Library window of Winamp3. An attacker could create a malicious MP3
file, that if loaded via the Media Library window, would compromise
the system and allow for remote code execution.
An attacker could create a malicious MP3 file that exploits either the
overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For
either overflow to occur, the user has to attempt to load the MP3 file
from the Media Library by at least single clicking on either the MP3
via the Artist or Album window.
Vendor Response:
Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and
both are available at: http://www.winamp.com
Foundstone would like to thank Nullsoft for their cooperation with
the remediation of this vulnerability.
Solution:
For Winamp 2.81 users
We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81
(which has since been fixed) from: http://www.winamp.com
For Winamp 3.0 users
Only Winamp 3.0 build #488 built on December 15, 2002 and later are not
vulnerable. We recommend if the About Winamp3 dialog box within
Winamp 3.0 displays a 3.0 release that has a lower build number than
488 or earlier date than Dec 15 2002, we recommend redownloading
Winamp 3.0 from: http://www.winamp.com
Disclaimer:
The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no event
shall the author or Foundstone be liable for any direct, indirect,
incidental, special, exemplary or consequential damages resulting from
the use or misuse of this information. This advisory may be
redistributed, provided that no fee is assigned and that the advisory
is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and privacy
needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The company
has one of the most dominant security talent pools ever assembled,
including experts from Ernst & Young, KPMG, PricewaterhouseCoopers,
and the United States Defense Department. Foundstone executives and
consultants have authored nine books, including the international best
seller Hacking Exposed: Network Security Secrets & Solutions.
Foundstone is headquartered in Orange County, CA, and has offices in
New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.
Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:39:36 PST