#####################################################* # Damage Hacking Group security advisory # www.dhgroup.org #####################################################* #Product: WinAmp v.3.0 final (not beta :)) bld #488 #Authors: NullSoft, Inc. [www.winamp.com] #Vulnerable versions: up to v.3.0 #Not vulnerable: all that doesn't support b4s-lists #Vulnerability: buffer overflow (& code execution) #####################################################* #Overview#--------------------------------------------------------------# IMHO, this is the most popular media player under win32-platforms. #Problem#---------------------------------------------------------------# First, what is b4s? WinAmp allows u to save your mp3-list to *.b4s-files. This is something like *.m3u-lists, but b4s uses XML for it's work. Here is example of one b4s-file (# - comments): <?xml version="1.0" encoding='UTF-8' standalone="yes"?> <WinampXML> <!-- Generated by: Nullsoft Winamp3 version 3.0 --> <playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1) #first entry <entry Playstring="file:[patch_to_file]"> #(2) <Name>[name_of_the_song]</Name> <Length>[file_size_in_byts]</Lengt> </entry> #end of first entry </playlist> </WinampXML> Now, lets talk about bugs. (1) if [playlist_name] will be longer then 16580b, ecx, esi and retaddr(!!) will be overwriten at addr 0x1007C340. So it's possible to execute arbitrary code with user's permisson. (2) buffer overflow in [patch_to_file]. I don't parse this problem, but I realy think, that it's very serious too. (3) DoS. If [playlist_name] will include some cyrilic (imho, any none English) letters, WinAmp will be crashed. (4) DOS Device bug. If [patch_to_file] will be "file:aux", WinAmp will be freezed. #Fix#--------------------------------------------------------------------# Use m3u-lists :) & wait for new versions of WinAmp. #Exploit#----------------------------------------------------------------# Sorry, xsploit is private. #EOF Best regards www.dhgroup.org D4rkGr3y icq 540981
