|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Winamp M3U playlist parser buffer overflow security vulnerability
From: Pauli Ojanpera (pauli_ojanpera
HOTMAIL.COM)Date: Thu Jul 20 2000 - 17:21:26 CDT
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-043)"
- Previous message: Fabio Pietrosanti: "strange thing appens on SCO"
- Next in thread: Andre_FassbenderMN.MAN.DE: "Re: Winamp M3U playlist parser buffer overflow security vulnerability"
- Reply: Andre_FassbenderMN.MAN.DE: "Re: Winamp M3U playlist parser buffer overflow security vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
LEGAL NOTICE:
By reading this you do agree that life does not make
sense and it doesn't need to. You also agree to
wear a condom. You do agree to think about nature.
.. umm you also agree to GPL all software you've ever
written.
[Click here if you're under 18]
There is a buffer overflow security vulnerability in
Winamp's (http://www.winamp.com) M3U playlist parser.
The overflow happens when an M3U extension called "#EXTINF:" is being
handled. The size of the parameter
following that keyword is not checked.
Real world example:
--cut-here-and-paste-to-a-file-with-m3u-extension--
#EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf>
--cut here--
There should be at least 280 A's.
The overflow allows total control over ones computer.
For example one could embedd an M3U file to a web page
several ways:
- <A HREF="ATTACK.M3U">
- <BGSOUND SRC="ATTACK.M3U">
- <EMBED SRC="ATTACK.M3U">
I have tested the first one but I have Media Player
installed on this computer and my browser uses its
components for the latter two so I cannot confirm..
The only problem is some structure (FILE *?) after
the buffer because it has a zero in it and it must
not be crafted to successfully return from the function.
I had to apply some trial and error to get code executed.
Currently the code crafts Winamp's MOD file format support
until restarted (I presume so.. :-).
The attached .M3U file should crash Winamp at 0000:41414141. I've tested it
with Windows 98 and
Windows 95 with Winamp versions 2.62 and 2.64.
Thank you.. I might not be available too frequently
to answer your mail.. Have a nice life. Bye.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
- text/plain attachment: ATTACK.M3U
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-043)"
- Previous message: Fabio Pietrosanti: "strange thing appens on SCO"
- Next in thread: Andre_FassbenderMN.MAN.DE: "Re: Winamp M3U playlist parser buffer overflow security vulnerability"
- Reply: Andre_FassbenderMN.MAN.DE: "Re: Winamp M3U playlist parser buffer overflow security vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]