OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lucas Lundgren (ll_at_outpost24.com)
Date: Tue Jul 16 2002 - 05:31:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Outpost24 Advisory
                                                          
             www.outpost24.com

    Advisory Name: Oddsock PlaylistGenerator Multiple
    BufferOverlow vulnerability
    Release date: 15/07-02
    Software : Song Requester Version : 2.1
    Platform: Windows NT/XP/95/98/2000
    Severity: DoS Vulnerability, that terminates Winamp,
    and restart

    Author: Lucas Lundgren (lloutpost24.com)
    Reference: http://www.outpost24.com/news/
    Vedor Status: No response

    Summary:

    Oddsock Playlist generator is used by Radio DJs to
    allow listeners to choose a song to play from the
    Winamp Playlist.Song Requester Version
    2.1 contains multiple buffer overflows, which will
    result in a DoS attack against the Winamp/Shoutcast
    service. The DJ will have to restart Winamp in order to
    make it work again.

    There are two major kinds of DoS attacks against this
    software: the first will display an error message, and
    inform the user that a logfile has been created. The
    second attack closes down Winamp and restores the
    playlist from the previous state, so that any newly
    added songs will not be displayed in the playlist.It
    also restores the admin password to what
    is was previously, if it has been changed without
    restarting Winamp.

    Technical Details:

    By parsing long names or characters to the CGI files in
    the Song Requester, a DoS is avalible, closing down
    Winamp and / or leaving a error log. You could try to
    parse

    http://>/request.cgi?listpos=9999999999999999999999999999
    (9x256)

    This will cause Winamp to crash, and makes Dr Watson
    dump a logfile.

    But if you parse:
     
    http://>/request.cgi?psearch=999999999999999999999999999999
    (9x254)

    Winamp will die without any error messages.

    Oddsock overflows the playlist and crashes the Winamp
    player. If you want to check it out, please look at Dr
    Watson logs for more details. All the CGI files in
    Song Requester are vulnerable to DoS attacks, even
    the 'admin.cgi'. Please note that the password you type
    in is in clear text; no asterix signs replace the
    characters.

    Outpost24
    Contact: Lucas Lundgren (lloutpost24.com)