WINAMP 2.6x / 2.7x BUFFER OVERFLOW
AFFECTED SYSTEMS
Winamp 2.73 (full)
Winamp 2.70 (full)
Winamp 2.64 (standard)
Winamp 2.62 (standard)
Winamp 2.61 (full)
Winamp 2.60 (full)
Winamp 2.60 (lite)
(haven't tested 2.74/2.72/2.71/2.65/... yet, but as
you can guess, it's very likely that they're affected)
IMMUNE SYSTEMS
Winamp 2.5e
Winamp 2.50
Winamp 2.24
Winamp 2.04
DESCRIPTION
Winamp has a buffer overflow condition when parsing
*.AIP files.
(which are set to be automatically downloaded without
user intervention, just like the *.M3U / *.PLS files)
The bug can be reproduced by simply putting a lot of
As (about 2100) in an *.AIP file and doubleclicking
it. A sample *.AIP has been attached, I have zipped it
up not to cause to much troubles with automatic
downloading...
The sample *.AIP will attempt to snatch the EIP and
set it to 080808080h, it seems to work most of the
time, but not always. Snatching the EIP seems to be
the hardest part of writing an exploit for this bug.
This buffer overflow could lead to a system compromise
on a windows computer running winamp 2.7x / 2.6x
either via a webpage or by sending an e-mail which
opens a malicious *.AIP.
VENDOR STATUS
I've contacted Denzil Kriekenbeek of nullsoft
<[EMAIL PROTECTED]> notifying him about the buffer
overflow condition. (the automatic feedback form on
winamp.com didn't work, neither did
[EMAIL PROTECTED])
SOLUTION
Consider turning off automatic downloading of *.AIP
files (also consider turning it off for *.M3U, *.PLS,
*.WPZ, *.WSZ, ...), so that if a suspicious webpage or
e-mail attempts to open *.AIP files with winamp, you
can decide not to hit 'execute from current location'.
greetz,
[ByteRage]
<[EMAIL PROTECTED]> [www.byterage.cjb.net]
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
SNATCH-EIP-80808080.zip
