OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ByteRage (byterageYAHOO.COM)
Date: Sun Apr 29 2001 - 03:41:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    WINAMP 2.6x / 2.7x BUFFER OVERFLOW

    AFFECTED SYSTEMS
    Winamp 2.73 (full)
    Winamp 2.70 (full)
    Winamp 2.64 (standard)
    Winamp 2.62 (standard)
    Winamp 2.61 (full)
    Winamp 2.60 (full)
    Winamp 2.60 (lite)

    (haven't tested 2.74/2.72/2.71/2.65/... yet, but as
    you can guess, it's very likely that they're affected)

    IMMUNE SYSTEMS
    Winamp 2.5e
    Winamp 2.50
    Winamp 2.24
    Winamp 2.04

    DESCRIPTION

    Winamp has a buffer overflow condition when parsing
    *.AIP files.
    (which are set to be automatically downloaded without
    user intervention, just like the *.M3U / *.PLS files)

    The bug can be reproduced by simply putting a lot of
    As (about 2100) in an *.AIP file and doubleclicking
    it. A sample *.AIP has been attached, I have zipped it
    up not to cause to much troubles with automatic
    downloading...

    The sample *.AIP will attempt to snatch the EIP and
    set it to 080808080h, it seems to work most of the
    time, but not always. Snatching the EIP seems to be
    the hardest part of writing an exploit for this bug.

    This buffer overflow could lead to a system compromise
    on a windows computer running winamp 2.7x / 2.6x
    either via a webpage or by sending an e-mail which
    opens a malicious *.AIP.

    VENDOR STATUS
    I've contacted Denzil Kriekenbeek of nullsoft
    <denzilspinner.com> notifying him about the buffer
    overflow condition. (the automatic feedback form on
    winamp.com didn't work, neither did
    supportwinamp.com)

    SOLUTION
    Consider turning off automatic downloading of *.AIP
    files (also consider turning it off for *.M3U, *.PLS,
    *.WPZ, *.WSZ, ...), so that if a suspicious webpage or
    e-mail attempts to open *.AIP files with winamp, you
    can decide not to hit 'execute from current location'.

    greetz,

    [ByteRage]
    <byterageyahoo.com> [www.byterage.cjb.net]

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Auctions - buy the things you want at great prices
    http://auctions.yahoo.com/