OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: D4rkGr3y (grey_1999_at_mail.ru)
Date: Sat Jan 04 2003 - 07:00:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    #####################################################*
    # Damage Hacking Group security advisory
    # www.dhgroup.org
    #####################################################*
    #Product: WinAmp v.3.0 final (not beta :)) bld #488
    #Authors: NullSoft, Inc. [www.winamp.com]
    #Vulnerable versions: up to v.3.0
    #Not vulnerable: all that doesn't support b4s-lists
    #Vulnerability: buffer overflow (& code execution)
    #####################################################*

    #Overview#--------------------------------------------------------------#
    IMHO, this is the most popular media player under win32-platforms.

    #Problem#---------------------------------------------------------------#
    First, what is b4s?
    WinAmp allows u to save your mp3-list to *.b4s-files. This is something
    like *.m3u-lists, but b4s uses XML for it's work. Here is example of one
    b4s-file (# - comments):

    <?xml version="1.0" encoding='UTF-8' standalone="yes"?>
    <WinampXML>
    <!-- Generated by: Nullsoft Winamp3 version 3.0 -->
    <playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1)

    #first entry
    <entry Playstring="file:[patch_to_file]"> #(2)
    <Name>[name_of_the_song]</Name>
    <Length>[file_size_in_byts]</Lengt>
    </entry>
    #end of first entry

    </playlist>
    </WinampXML>

    Now, lets talk about bugs.
    (1) if [playlist_name] will be longer then 16580b, ecx, esi and retaddr(!!)
    will be overwriten at addr 0x1007C340. So it's possible to execute
    arbitrary code with user's permisson.
    (2) buffer overflow in [patch_to_file]. I don't parse this problem,
    but I realy think, that it's very serious too.
    (3) DoS. If [playlist_name] will include some cyrilic (imho, any none
    English) letters, WinAmp will be crashed.
    (4) DOS Device bug. If [patch_to_file] will be "file:aux", WinAmp will
    be freezed.

    #Fix#--------------------------------------------------------------------#
    Use m3u-lists :) & wait for new versions of WinAmp.

    #Exploit#----------------------------------------------------------------#
    Sorry, xsploit is private.
    #EOF

    Best regards www.dhgroup.org
      D4rkGr3y icq 540981