[Esa-l] WinAmp vulnerability (More extensions to defang or poison?)

Brett Glass brett at lariat.org
Mon Apr 30 10:34:08 PDT 2001 

Approved-By: aleph1 at SECURITYFOCUS.COM
Delivered-To: bugtraq at lists.securityfocus.com
:

::

:::
Delivered-To: bugtraq at securityfocus.com
:::
:
::
:
::
:
X-Security: Warning! Do not open files attached to e-mail if you do not
	have an up-to-date virus protection program or did not expect to
	receive them. Even if the message is from someone you know, an
	attachment can contain a virus sent without his or her knowledge.
::
:
Date:         Sun, 29 Apr 2001 01:41:46 -0700
Reply-To: ByteRage <byterage at YAHOO.COM>
Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM>
From: ByteRage <byterage at YAHOO.COM>
Subject:      Winamp 2.6x / 2.7x buffer overflow
To: BUGTRAQ at SECURITYFOCUS.COM
:

WINAMP 2.6x / 2.7x BUFFER OVERFLOW

AFFECTED SYSTEMS
Winamp 2.73 (full)
Winamp 2.70 (full)
Winamp 2.64 (standard)
Winamp 2.62 (standard)
Winamp 2.61 (full)
Winamp 2.60 (full)
Winamp 2.60 (lite)

(haven't tested 2.74/2.72/2.71/2.65/... yet, but as
you can guess, it's very likely that they're affected)

IMMUNE SYSTEMS
Winamp 2.5e
Winamp 2.50
Winamp 2.24
Winamp 2.04

DESCRIPTION

Winamp has a buffer overflow condition when parsing
*.AIP files.
(which are set to be automatically downloaded without
user intervention, just like the *.M3U / *.PLS files)

The bug can be reproduced by simply putting a lot of
As (about 2100) in an *.AIP file and doubleclicking
it. A sample *.AIP has been attached, I have zipped it
up not to cause to much troubles with automatic
downloading...

The sample *.AIP will attempt to snatch the EIP and
set it to 080808080h, it seems to work most of the
time, but not always. Snatching the EIP seems to be
the hardest part of writing an exploit for this bug.

This buffer overflow could lead to a system compromise
on a windows computer running winamp 2.7x / 2.6x
either via a webpage or by sending an e-mail which
opens a malicious *.AIP.

VENDOR STATUS
I've contacted Denzil Kriekenbeek of nullsoft
<denzil at spinner.com> notifying him about the buffer
overflow condition. (the automatic feedback form on
winamp.com didn't work, neither did
support at winamp.com)

SOLUTION
Consider turning off automatic downloading of *.AIP
files (also consider turning it off for *.M3U, *.PLS,
*.WPZ, *.WSZ, ...), so that if a suspicious webpage or
e-mail attempts to open *.AIP files with winamp, you
can decide not to hit 'execute from current location'.

greetz,

[ByteRage]
<byterage at yahoo.com> [www.byterage.cjb.net]

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
 SNATCH-EIP-80808080.zip

More information about the esd-l mailing list