On Wed, Jun 29, 2011 at 08:02:45PM +0100, Luigi Auriemma wrote: > ####################################################################### > > Luigi Auriemma > > Application: Winamp > http://www.winamp.com > Versions: <= 5.61 > Platforms: Windows > Bugs: A] in_midi Controller messages heap overflow > B] in_midi Note On messages heap overflow > C] in_midi MTrk heap overflow > Date: 27 Jun 2011 > Author: Luigi Auriemma > e-mail: aluigi@xxxxxxxxxxxxx > web: aluigi.org > > > ####################################################################### > > > 1) Introduction > 2) Bugs > 3) The Code > 4) Fix > > > ####################################################################### > > =============== > 1) Introduction > =============== > > > Winamp is one of the most diffused and appreciated media players for > Windows. > > > ####################################################################### > > ======= > 2) Bugs > ======= > > -------------------------------------------- > A] in_midi Controller messages heap overflow > -------------------------------------------- > > The Controller status message of the MIDI files is an 8bit value from > 0xb0 to 0xbf followed by the controller number and the value to assign. > > The in_midi native plugin of Winamp follows the specifications > allocating a buffer that fits the 128 instruments but the "Controller > number" is an 8bit value which arrives to 255 and there are no checks > to avoid the usage of this additional memory. > > The result is a heap overflow and its usual effects like arbitrary > memory freeing, write4 and so on. > From in_midi.dll: > > 07662918 |. 8A4D 08 MOV CL,BYTE PTR SS:[EBP+8] > ; "Controller message" > 0766291B |. 56 PUSH ESI > 0766291C |. 8BF0 MOV ESI,EAX > 0766291E |. 8AC1 MOV AL,CL > 07662920 |. 24 F0 AND AL,0F0 > 07662922 |. 80E1 0F AND CL,0F > 07662925 |. 884D FF MOV BYTE PTR SS:[EBP-1],CL > 07662928 |. 3C B0 CMP AL,0B0 > 0766292A |. 0F85 B1000000 JNZ in_midi.076629E1 > 07662930 |. 33D2 XOR EDX,EDX > 07662932 |. 3915 98896707 CMP DWORD PTR DS:[7678998],EDX > 07662938 |. 74 1B JE SHORT in_midi.07662955 > 0766293A |. 80F9 09 CMP CL,9 > 0766293D |. 75 16 JNZ SHORT in_midi.07662955 > 0766293F |. 3856 01 CMP BYTE PTR DS:[ESI+1],DL > 07662942 |. 75 11 JNZ SHORT in_midi.07662955 > 07662944 |. 8A06 MOV AL,BYTE PTR DS:[ESI] > ; "Controller Number" > 07662946 |. 3AC2 CMP AL,DL > 07662948 |. 74 04 JE SHORT in_midi.0766294E > 0766294A |. 3C 20 CMP AL,20 > 0766294C |. 75 07 JNZ SHORT in_midi.07662955 > 0766294E |> 33C0 XOR EAX,EAX > 07662950 |. E9 E4010000 JMP in_midi.07662B39 > 07662955 |> 0FB6C1 MOVZX EAX,CL > 07662958 |. 0FB60E MOVZX ECX,BYTE PTR DS:[ESI] > ; "Controller Number" > 0766295B |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX > 0766295E |. C165 F8 07 SHL DWORD PTR SS:[EBP-8],7 > 07662962 |. 034D F8 ADD ECX,DWORD PTR SS:[EBP-8] > 07662965 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX > 07662968 |. 8A46 01 MOV AL,BYTE PTR DS:[ESI+1] ; "value" > 0766296B |. 884419 08 MOV BYTE PTR DS:[ECX+EBX+8],AL > > and the arbitrary free() exploitation: > > 07662BE5 |> 8DBE 24080000 LEA EDI,DWORD PTR DS:[ESI+824] > 07662BEB |. C74424 10 10000000 MOV DWORD PTR SS:[ESP+10],10 > 07662BF3 |> 8B07 /MOV EAX,DWORD PTR DS:[EDI] > ; our 32 bit, 0x61616161 > 07662BF5 |. 3BC5 |CMP EAX,EBP > 07662BF7 |. 74 06 |JE SHORT in_midi.07662BFF > 07662BF9 |. 50 |PUSH EAX > 07662BFA |. FFD3 |CALL EBX ; MSVCR90.free > 07662BFC |. 59 |POP ECX > 07662BFD |. 892F |MOV DWORD PTR DS:[EDI],EBP > 07662BFF |> 83C7 04 |ADD EDI,4 > 07662C02 |. FF4C24 10 |DEC DWORD PTR SS:[ESP+10] > 07662C06 |.^75 EB \JNZ SHORT in_midi.07662BF3 > > > ----------------------------------------- > B] in_midi Note On messages heap overflow > ----------------------------------------- > > The Note On messages (from 0x90 to 0x9f) have the same format of the > Controller ones and also in this case Winamp doesn't check the channel > number specified in the file leading to another heap oveflow using > channels greater than 127. > > > ----------------------------- > C] in_midi MTrk heap overflow > ----------------------------- > > Winamp calculates the size of the memory to allocate through the > parsing of the chunk size of all the MTrk fields. > A combination of signed comparisons, integer overflows and > portions of data copied in predictable positions allow the > exploiting of the relative heap overflow: > > 07663738 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C] > ; current total size > 0766373B |> 813C38 4D54726B |CMP DWORD PTR DS:[EAX+EDI],6B72544D > ; MUST be equal to "MTrk" > 07663742 |. 75 5A |JNZ SHORT in_midi.0766379E > 07663744 |. 8D48 0C |LEA ECX,DWORD PTR DS:[EAX+C] ; +12 > 07663747 |. 3B4D 10 |CMP ECX,DWORD PTR SS:[EBP+10] > 0766374A |. 7F 52 |JG SHORT in_midi.0766379E > ; signed comparison > 0766374C |. 8B4C38 04 |MOV ECX,DWORD PTR DS:[EAX+EDI+4] > ; get "next" MTrk size > 07663750 |. 83C0 08 |ADD EAX,8 ; +8 > 07663753 |. 8945 0C |MOV DWORD PTR SS:[EBP+C],EAX > 07663756 |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX > 07663759 |. E8 7A9D0000 |CALL in_midi.0766D4D8 ; ntohl(ecx) > 0766375E |. 0145 0C |ADD DWORD PTR SS:[EBP+C],EAX > 07663761 |. 8B45 10 |MOV EAX,DWORD PTR SS:[EBP+10] > 07663764 |. 3945 0C |CMP DWORD PTR SS:[EBP+C],EAX > 07663767 |. 7F 08 |JG SHORT in_midi.07663771 ; signed comp > 07663769 |. 46 |INC ESI > 0766376A |. 3B75 F8 |CMP ESI,DWORD PTR SS:[EBP-8] > 0766376D |.^7C C9 \JL SHORT in_midi.07663738 > ... > 076635D5 |> 53 PUSH EBX > 076635D6 |. 56 PUSH ESI > 076635D7 |. 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] > 076635DA |. 8D46 10 LEA EAX,DWORD PTR DS:[ESI+10] > 076635DD |. 50 PUSH EAX > ; controlled miscalculated size > 076635DE |. FF15 B0316707 CALL DWORD PTR DS:[<&MSVCR90.malloc>] > ; malloc > ... > 076636CF |> 57 PUSH EDI ; 0xFFFFF81F > 076636D0 |. 51 PUSH ECX ; all data from MThd > 076636D1 |. 53 PUSH EBX ; allocated buffer > 076636D2 |. E8 77C80000 CALL <JMP.&MSVCR90.memcpy> ; memcpy > > And the following is the situation caused by my proof-of-concept > during the total size calculation with EDI 01246298 and EAX FFFFF816, > so the "dword[EAX+EDI] == 6B72544D" check is perfectly bypassed: > > 01246188 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 rkMTrkMTrkMTrkMT > 01246198 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 rkMTrkMTrkMTrkMT > 012461A8 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 rkMTrkMTrkMTrkMT > 012461B8 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 rkMTrkMTrkMTrkMT > 012461C8 72 6B 4D 54 72 6B 4D 54 72 6B 4D 54 72 6B AB AB rkMTrkMTrkMTrk«« > 012461D8 AB AB AB AB AB AB EE FE 00 00 00 00 00 00 00 00 ««««««îþ........ > 012461E8 15 00 A3 21 EE 07 18 01 50 DC 22 01 20 00 00 00 ..£!î...PÜ". ... > 012461F8 19 00 00 00 88 C2 22 01 08 00 00 00 00 00 00 00 ....ˆÂ"......... > 01246208 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246218 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246228 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246238 00 00 00 00 00 00 00 00 00 00 00 00 C0 53 23 01 ............ÀS#. > 01246248 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246258 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246268 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 01246278 00 00 00 00 01 00 00 00 AB AB AB AB AB AB AB AB ........«««««««« > 01246288 00 00 00 00 00 00 00 00 93 21 15 00 81 07 1A 01 ........“!..... > 01246298 4D 54 68 64 00 00 00 06 00 01 00 13 00 78 4D 54 MThd.........xMT > 012462A8 72 6B FF FF F8 00 41 41 41 41 41 41 41 41 41 41 rkÿÿø.AAAAAAAAAA > 012462B8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 012462C8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 012462D8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > > > ####################################################################### > > =========== > 3) The Code > =========== > > > http://aluigi.org/poc/winamp_3.zip > > winamp_3a.mid will exploit the arbitrary freeing of address 0x61616161. > > > ####################################################################### > > ====== > 4) Fix > ====== > > > No fix. > > > ####################################################################### > > > --- > Luigi Auriemma > http://aluigi.org No CVE-identifier requested by the founder "Luigi Auriemma", but I requested one from MITRE. They have not yet responded. I also reported this issue to Winamp. No reponse from they either. Does anyone have experience of Winamp's security-related communication? Do you have any idea if this has been fixed in version Winamp Media Player 5.62? Best regards, Henri Salo
