TUCoPS :: Windows Apps :: bt1028.txt

Winamp 2.91 lets code execution through MIDI files 


#######################################################################

                             Luigi Auriemma

Application: Winamp
             http://www.winamp.com and http://classic.winamp.com
Versions:    Winamp 2.91 using IN_MIDI.DLL 3.01
             (Winamp 3 crashes but I have not found methods to execute
             code)
Platforms:   Windows
Bugs:        Code execution through malformed MIDI files
Risk:        medium/high (exploitation has some limits)
Author:      Luigi Auriemma
             e-mail: aluigi@pivx.com
             web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp is probably the most famous media player for Win32 systems.
It supports a great amount of media formats moreover because a lot of
users write plugins for this really cool program.


A funny anecdote about the bug I have found is that I found it almost 9
months ago (beginning of January 2003) but I thought it was nothing of
interesting and I forgot it on my hard-disk for a lot of time...



#######################################################################

======
2) Bug
======


Winamp 2.91 uses a default plugin called IN_MIDI.DLL used to play MIDI
files.
The versions prior and equal to the 3.01 of this plugin let an
attacker to execute code on a victim simply setting the "Track data
size" value of a MIDI file to 0xffffffff.

Example:


4 bytes  MIDI Header       "MThd"
4 bytes  Header data size  00000006
2 bytes  Format            0000
2 bytes  Number of tracks  0001
2 bytes  Divisions         0001
4 bytes  Track Header      "MTrk"
4 bytes  Track data size   ffffffff  <---  bug
...      "aaaaaaaaaaaaaaaaaaaaa..."  <---  fun


An important thing (and also the only limit for the attacker) is that
doesn't exist only one method to exploit this vulnerability because
the effects change about how the user opens the file and what MIDI
device he use:

drag'n'drop, normal file opening, midiOut and DirectMusic.

Then another note is that the code execution doesn't happen ever in the
same moment that the file is opened or played, in fact it can happen
after the second exception or when you close Winamp (also these effects
depend by the 4 options before).


Winamp3 seems partially vulnerable but I have not found a method to
overwrite the return address or to pass my custom address to the
instructions flow.



#######################################################################


===========
3) The Code
===========


No exploit.



#######################################################################

======
4) Fix
======


Nullsoft has been contacted a lot of time for over one month but nobody
has given me an answer or has patched the MIDI plugin.

However the effects of the bug limit the exploitation so if you use
Winamp, simply play MIDI files with another player until a patch will
be released.



#######################################################################



--- 
Luigi Auriemma
http://aluigi.altervista.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH