SecuriTeam - Multiple Exploitable Buffer Overflows in Winamp

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.

Credit:
The original advisory can be downloaded by going to:
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=338
The information has been provided by Tony Bettini, Foundstone.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* Winamp 3.0
* Winamp 2.81

Winamp 2.81 Overflow
If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will crash yielding privileges immediately upon loading the MP3.

Two Winamp 3.0 Media Library Overflows
If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist and Album fields of the ID3v2 tag are displayed within the Media Library window of Winamp3. An attacker could create a malicious MP3 file, that if loaded via the Media Library window, would compromise the system and allow for remote code execution.

An attacker could create a malicious MP3 file that exploits either the overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For either overflow to occur, the user has to attempt to load the MP3 file from the Media Library by at least single clicking on either the MP3 via the Artist or Album window.

Vendor Response:
Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and both are available at: http://www.winamp.com

Foundstone would like to thank Nullsoft for their cooperation with the remediation of this vulnerability.

Solution:
For Winamp 2.81 users
We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81 (which has since been fixed) from: http://www.winamp.com

For Winamp 3.0 users
Only Winamp 3.0 build #488 built on December 15, 2002 and later are not vulnerable. We recommend if the About Winamp3 dialog box within Winamp 3.0 displays a 3.0 release that has a lower build number than 488 or earlier date than Dec 15 2002, we recommend redownloading Winamp 3.0 from: http://www.winamp.com

	Trend Micro HouseCall "notifyOnLoadNative()" Vulnerability
	Citrix Broadcast Server login.asp SQL Injection
	Trend Micro HouseCall ActiveX Control Arbitrary Code Execution
	PGP Desktop PGPwded.sys Denial of Service
	Microsoft Hierarchical FlexGrid Control Integer Overflows (MS08-070)
	Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072)
	CA ARCserve Backup LDBserver Vulnerability
	CA ARCserve Backup RPC "handle_t" Argument Vulnerability
	Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
	Microsoft Internet Explorer HTML Tag Long File Name Extension Stack Buffer Overflow Vulnerability (MS08-073)
	Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071)
	Microsoft Excel Malformed Object Memoy Corruption Vulnerability (MS08-074)
	Google Chrome MetaCharacter URI Obfuscation Vulnerability
	iPhone Configuration Web Utility for Windows Directory Traversal
	Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability