[20505] in bugtraq
Winamp 2.6x / 2.7x buffer overflow
daemon@ATHENA.MIT.EDU (ByteRage)
Sun Apr 29 13:04:30 2001
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1470503465-988533706=:38839"
Message-ID: <20010429084146.40720.qmail@web13002.mail.yahoo.com>
Date: Sun, 29 Apr 2001 01:41:46 -0700
Reply-To: ByteRage <byterage@YAHOO.COM>
From: ByteRage <byterage@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--0-1470503465-988533706=:38839
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
WINAMP 2.6x / 2.7x BUFFER OVERFLOW
AFFECTED SYSTEMS
Winamp 2.73 (full)
Winamp 2.70 (full)
Winamp 2.64 (standard)
Winamp 2.62 (standard)
Winamp 2.61 (full)
Winamp 2.60 (full)
Winamp 2.60 (lite)
(haven't tested 2.74/2.72/2.71/2.65/... yet, but as
you can guess, it's very likely that they're affected)
IMMUNE SYSTEMS
Winamp 2.5e
Winamp 2.50
Winamp 2.24
Winamp 2.04
DESCRIPTION
Winamp has a buffer overflow condition when parsing
*.AIP files.
(which are set to be automatically downloaded without
user intervention, just like the *.M3U / *.PLS files)
The bug can be reproduced by simply putting a lot of
As (about 2100) in an *.AIP file and doubleclicking
it. A sample *.AIP has been attached, I have zipped it
up not to cause to much troubles with automatic
downloading...
The sample *.AIP will attempt to snatch the EIP and
set it to 080808080h, it seems to work most of the
time, but not always. Snatching the EIP seems to be
the hardest part of writing an exploit for this bug.
This buffer overflow could lead to a system compromise
on a windows computer running winamp 2.7x / 2.6x
either via a webpage or by sending an e-mail which
opens a malicious *.AIP.
VENDOR STATUS
I've contacted Denzil Kriekenbeek of nullsoft
<denzil@spinner.com> notifying him about the buffer
overflow condition. (the automatic feedback form on
winamp.com didn't work, neither did
support@winamp.com)
SOLUTION
Consider turning off automatic downloading of *.AIP
files (also consider turning it off for *.M3U, *.PLS,
*.WPZ, *.WSZ, ...), so that if a suspicious webpage or
e-mail attempts to open *.AIP files with winamp, you
can decide not to hit 'execute from current location'.
greetz,
[ByteRage]
<byterage@yahoo.com> [www.byterage.cjb.net]
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--0-1470503465-988533706=:38839
Content-Type: application/x-zip-compressed; name="SNATCH-EIP-80808080.zip"
Content-Transfer-Encoding: base64
Content-Description: SNATCH-EIP-80808080.zip
Content-Disposition: attachment; filename="SNATCH-EIP-80808080.zip"
UEsDBBQAAAAIABymnCoFdJe4IgAAADUIAAAXAAAAU05BVENILUVJUC04MDgw
ODA4MC5haXD7/38UjIJRMApGwSgYBSMRGCABR0cDDGABhYZGxiYgzAAAUEsD
BBQAAAAIAM6onCplSaOVDAEAAHUBAAAKAAAAUkVBRE1FLnR4dDWQwUrEMBRF
94X+w90IKjNp1YUiIjOK4Gxk0AEX4iIdX9to0leSN8b69aYdh2xCcm7euXl5
Wm7uH+cPq/X8qtwvtVytEY21ED9Adx8IJEgEhFEeqHaWZ7tgugbSEqpdXZMH
f5OvLUeYbjp+NZ12Pc7V5QVOp3d77QP5PKvZw7GnRKat02K4m6VBBDcgUhWM
EBZoRfrroogxqmoQ8rohtf2sVEeSZ8f/t2RrVfGPCl/FASpO8izPNq0JcKZp
BR0LKpqkHAcB92Kctoh6ANdjQxm7pJYz6AAjSNExdFaWR/Bkja4sJUN2lJI0
IbU2NiilxlmNJ5Lf9Clvd8nhOTm84+agsxh0y6y27G5H9g9QSwECFAAUAAAA
CAAcppwqBXSXuCIAAAA1CAAAFwAAAAAAAAAAACAAtoEAAAAAU05BVENILUVJ
UC04MDgwODA4MC5haXBQSwECFAAUAAAACADOqJwqZUmjlQwBAAB1AQAACgAA
AAAAAAABACAAtoFXAAAAUkVBRE1FLnR4dFBLBQYAAAAAAgACAH0AAACLAQAA
AAA=
--0-1470503465-988533706=:38839--
