[VulnWatch] WinAmp v.3.0: buffer overflow

From: D4rkGr3y (grey_1999at_private)
Date: Sat Jan 04 2003 - 05:00:47 PST

Next message: D4rkGr3y: "[VulnWatch] AN HTTPd v.1.41e: DoS, CSS, real patch attack"

Previous message: SGI Security Coordinator: "[Full-Disclosure] fam Vulnerability Update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#####################################################*
#      Damage Hacking Group security advisory
#                 www.dhgroup.org
#####################################################*
#Product: WinAmp v.3.0 final (not beta :)) bld #488
#Authors: NullSoft, Inc. [www.winamp.com]
#Vulnerable versions: up to v.3.0
#Not vulnerable: all that doesn't support b4s-lists
#Vulnerability: buffer overflow (& code execution)
#####################################################*

#Overview#--------------------------------------------------------------#
IMHO, this is the most popular media player under win32-platforms.

#Problem#---------------------------------------------------------------#
First, what is b4s?
WinAmp allows u to save your mp3-list to *.b4s-files. This is something
like *.m3u-lists, but b4s uses XML for it's work. Here is example of one
b4s-file (# - comments):

<?xml version="1.0" encoding='UTF-8' standalone="yes"?>
<WinampXML>
<!-- Generated by: Nullsoft Winamp3 version 3.0 -->
<playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1)

#first entry
<entry Playstring="file:[patch_to_file]"> #(2)
<Name>[name_of_the_song]</Name>
<Length>[file_size_in_byts]</Lengt>
</entry>
#end of first entry

</playlist>
</WinampXML>

Now, lets talk about bugs.
(1) if [playlist_name] will be longer then 16580b, ecx, esi and retaddr(!!)
will be overwriten at addr 0x1007C340. So it's possible to execute
arbitrary code with user's permisson.
(2) buffer overflow in [patch_to_file]. I don't parse this problem,
but I realy think, that it's very serious too.
(3) DoS. If [playlist_name] will include some cyrilic (imho, any none
English) letters, WinAmp will be crashed.
(4) DOS Device bug. If [patch_to_file] will be "file:aux", WinAmp will
be freezed.

#Fix#--------------------------------------------------------------------#
Use m3u-lists :) & wait for new versions of WinAmp.

#Exploit#----------------------------------------------------------------#
Sorry, xsploit is private.
#EOF

Best regards               www.dhgroup.org
  D4rkGr3y                    icq 540981

Next message: D4rkGr3y: "[VulnWatch] AN HTTPd v.1.41e: DoS, CSS, real patch attack"
Previous message: SGI Security Coordinator: "[Full-Disclosure] fam Vulnerability Update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 10:44:31 PST