|
|
|
|
| |
| Winamp is a popular media player for Microsoft Windows. Brett Moore discovered a remotely exploitable stack based buffer overflow in Winamp. |
| |
Credit:
The information has been provided by Brett Moore.
|
| |
Vulnerable Systems:
* Winamp version 5.05
Immune Systems:
* Winamp version 5.06
The overflow can be caused in various ways, the most dangerous though is through a malformed .m3u playlist file. When hosted on a web site, these files will automatically downloaded and open in Winamp without any user interaction. This is enough to cause the overflow that would allow a malicious playlist to overwrite EIP and execute arbitrary code.
When Winamp opens the malformed playlist file, a first exception will occur:
First Chance Exception in winamp.exe (IN_CDDA.DLL) : Access Violation
At this location
00A49BE8 88 4C 04 30 mov byte ptr [esp+eax+30h],cl
This exception will be handled by Winamp, and execution will then
continue until it reaches the second exception at this location:
61616161 ???
with the registers looking like;
EAX = 0012A5D8 EBX = 0012C024
ECX = 61616161 EDX = 77F96DAE
ESI = 0012A600 EDI = 0046B9E0
EIP = 61616161 ESP = 0012A540
EBP = 0012A560 EFL = 00210246
As can be seen, EIP has been overwritten with a value supplied through the malformed playlist file, 0x61616161 (aaaa) and since more playlist supplied data is located at the address pointed to by EDI, execution of malicious code is possible.
Disclosure Timeline:
* October 14, 2004: Vulnerability discovered and advised to Nullsoft by Brett Moore of Security-Assessment.com
* November 11, 2004: Winamp 5.06 released
* November 23, 2004: Public disclosure
|
|
|
|
|
|
|
