Outpost24 Advisory
www.outpost24.com
Advisory Name: Oddsock PlaylistGenerator Multiple
BufferOverlow vulnerability
Release date: 15/07-02
Software : Song Requester Version : 2.1
Platform: Windows NT/XP/95/98/2000
Severity: DoS Vulnerability, that terminates Winamp,
and restart
Author: Lucas Lundgren (ll@outpost24.com)
Reference: http://www.outpost24.com/news/
Vedor Status: No response
Summary:
Oddsock Playlist generator is used by Radio DJs to
allow listeners to choose a song to play from the
Winamp Playlist.Song Requester Version
2.1 contains multiple buffer overflows, which will
result in a DoS attack against the Winamp/Shoutcast
service. The DJ will have to restart Winamp in order to
make it work again.
There are two major kinds of DoS attacks against this
software: the first will display an error message, and
inform the user that a logfile has been created. The
second attack closes down Winamp and restores the
playlist from the previous state, so that any newly
added songs will not be displayed in the playlist.It
also restores the admin password to what
is was previously, if it has been changed without
restarting Winamp.
Technical Details:
By parsing long names or characters to the CGI files in
the Song Requester, a DoS is avalible, closing down
Winamp and / or leaving a error log. You could try to
parse
http://<musicserver>/request.cgi?listpos=9999999999999999999999999999
(9x256)
This will cause Winamp to crash, and makes Dr Watson
dump a logfile.
But if you parse:
http://<musicserver>/request.cgi?psearch=999999999999999999999999999999
(9x254)
Winamp will die without any error messages.
Oddsock overflows the playlist and crashes the Winamp
player. If you want to check it out, please look at Dr
Watson logs for more details. All the CGI files in
Song Requester are vulnerable to DoS attacks, even
the 'admin.cgi'. Please note that the password you type
in is in clear text; no asterix signs replace the
characters.
Outpost24
Contact: Lucas Lundgren (ll@outpost24.com)
