[10575] in bugtraq
Re: Buffer overflow in WinAMP 2.x
daemon@ATHENA.MIT.EDU (Jello Biafra)
Mon May 17 17:29:53 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <E10jDM4-0003HR-00.1999-05-17-03-42-13@mail13.svr.pol.co.uk>
Date: Mon, 17 May 1999 03:40:48 +0100
Reply-To: biafra@X-STREAM.CO.UK
From: Jello Biafra <biafra@X-STREAM.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <37395FD3.63849D57@bydnet.com.pl>
Date sent: Wed, 12 May 1999 13:02:43 +0200
Send reply to: Wojtek Kaniewski <wojtekka@BYDNET.COM.PL>
From: Wojtek Kaniewski <wojtekka@BYDNET.COM.PL>
Subject: Buffer overflow in WinAMP 2.x
To: BUGTRAQ@netspace.org
> Introduction
> ------------
> WinAMP is a popular Windows sound player with support for many file
> formats (MP3, wave files, modules). It also supports MP3 streaming
> (let's call it sh0utcast).
>
> Description of the problem
> --------------------------
> If we tell WinAMP to open file location (Ctrl+L) which is over 256
> bytes long, it'll produce nice GPF. The bug also appears when loading
> playlists (.m3u and .pls)
>
> What can we do with this bug?
> -----------------------------
> Many sh0utcast radios place .pls files on their websites, which contain
> URL for radio's sh0utcast server.
>
> If we'll make b00m.pls file like this...
>
> [playlist]
> NumberOfEntries=1
> File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's)
>
> and put such link...
>
> <A HREF="b00m.pls">Techno explosion -- The Coolest MP3 Radio</A>
>
> on our website, we can make couple of WinAMPs crash. I suppose, that
> there's a possibility to put our own code in the filename (see cDc-351
> for details).
>
> Nullsoft (producer of WinAMP) has been noticed about the bug two
> versions ago.
>
> --
> wojtekka@irc.pl :: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet
>
On NT Server 4 with no Service Packs installed, this causes an
application error. Platform is a Cyrix MMX 233.
Access Violation (0xc0000005), Address : 0x62626262
