Winamp Security Vulnerability

daRk_heLmet · Jul 21, 2005, 06:01 PM

Winamp is vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. To exploit this vulnerability, a user has to add malformed mp3 file to the Winamp playlist, and play it. When playing mp3 file is finished, playlist is updated, and if some part of the ID3v2 tag (e.g. ARTIST or TITLE) is too long, it is possible to overflow value that is later used as the source address in the strcpy() function. The strcpy() call can overflow a value (in the DATA segment) that will later, in jump instruction, point code execution to some attacker-supplied buffer, where malicious code can be executed.

Before it it possible to overflow important value in the DATA segment, a simple "sanity check" has to be passed. In the next piece of asm code, we control the EAX register (because of the first overflow), and after returning from the function, that EAX is used as source address for strcpy().

This "sanity check" code will test if there is a value 0x00000001 (ECX) in memory on offset 0x9B4 from EAX address. If that condition is true, then after returning from the function, the same EAX content will be used as the source address in strcpy(). If the condition is false, EAX is set to a value that is located on offset 0x9B8 from current EAX register address, and the program will jump to the begining of the loop.
____________________
Read More/Source: LSS

Jul 21, 2005, 06:01 PM	#1
daRk_heLmet Keep firing, assholes! Join Date: Nov 2004 Location: Death Star Posts: 1,072 Rep Power: 0	Winamp Security Vulnerability Winamp is vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. To exploit this vulnerability, a user has to add malformed mp3 file to the Winamp playlist, and play it. When playing mp3 file is finished, playlist is updated, and if some part of the ID3v2 tag (e.g. ARTIST or TITLE) is too long, it is possible to overflow value that is later used as the source address in the strcpy() function. The strcpy() call can overflow a value (in the DATA segment) that will later, in jump instruction, point code execution to some attacker-supplied buffer, where malicious code can be executed. Before it it possible to overflow important value in the DATA segment, a simple "sanity check" has to be passed. In the next piece of asm code, we control the EAX register (because of the first overflow), and after returning from the function, that EAX is used as source address for strcpy(). This "sanity check" code will test if there is a value 0x00000001 (ECX) in memory on offset 0x9B4 from EAX address. If that condition is true, then after returning from the function, the same EAX content will be used as the source address in strcpy(). If the condition is false, EAX is set to a value that is located on offset 0x9B8 from current EAX register address, and the program will jump to the begining of the loop. ____________________ Read More/Source: LSS __________________ [color=white]My Blog[/color]