PDA

Bekijk Volledige Versie : WinAmp v.3.0: buffer overflow



D4rkGr3y
05/01/03, 00:43
################################################## ###*
# Damage Hacking Group security advisory
# www.dhgroup.org
################################################## ###*
#Product: WinAmp v.3.0 final (not beta :)) bld #488
#Authors: NullSoft, Inc. [www.winamp.com]
#Vulnerable versions: up to v.3.0
#Not vulnerable: all that doesn't support b4s-lists
#Vulnerability: buffer overflow (& code execution)
################################################## ###*

#Overview#--------------------------------------------------------------#
IMHO, this is the most popular media player under win32-platforms.

#Problem#---------------------------------------------------------------#
First, what is b4s?
WinAmp allows u to save your mp3-list to *.b4s-files. This is something
like *.m3u-lists, but b4s uses XML for it's work. Here is example of one
b4s-file (# - comments):

<?xml version="1.0" encoding='UTF-8' standalone="yes"?>
<WinampXML>
<!-- Generated by: Nullsoft Winamp3 version 3.0 -->
<playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1)

#first entry
<entry Playstring="file:[patch_to_file]"> #(2)
<Name>[name_of_the_song]</Name>
<Length>[file_size_in_byts]</Lengt>
</entry>
#end of first entry

</playlist>
</WinampXML>

Now, lets talk about bugs.
(1) if [playlist_name] will be longer then 16580b, ecx, esi and retaddr(!!)
will be overwriten at addr 0x1007C340. So it's possible to execute
arbitrary code with user's permisson.
(2) buffer overflow in [patch_to_file]. I don't parse this problem,
but I realy think, that it's very serious too.
(3) DoS. If [playlist_name] will include some cyrilic (imho, any none
English) letters, WinAmp will be crashed.
(4) DOS Device bug. If [patch_to_file] will be "file:aux", WinAmp will
be freezed.

#Fix#--------------------------------------------------------------------#
Use m3u-lists :) & wait for new versions of WinAmp.

#Exploit#----------------------------------------------------------------#
Sorry, xsploit is private.
#EOF

Best regards www.dhgroup.org
D4rkGr3y icq 540981