|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #15 | Jul 30th, 2007 |
---------------------------------------------------
| Vendor | Nullsoft's Winamp (Lite) |
| URL | http://www.winamp.com/ |
| Version | <= 5.35 |
| Risk | Low (Denial Of Service) |
---------------------------------------------------
o Description:
============
Winamp is a proprietary media player for Windows systems. Visit
http://www.winamp.com/ for detailed information.
o Denial Of Service:
==================
The M3U file format allows it to include local and remote files by
simply specifing the path to the desired file. Furthermore Winamp does
not check if the M3U file to include is the currently processed M3U
file wherefore it's possible to force Winamp to recursively read a
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc00000fd).
You are able to simply test this bug yourself by creating a file named
'a.m3u' with the content 'a.m3u'. If you are using the standard version
of Winamp (not the Lite version) you just have to add the M3U file to
Winamp by for example simply dragging the file into the playlist.
The lite version catches the exception and exits if you add the
malformed M3U file to the playlist. If you use the "Enqueue in Winamp"
option (if configured you'll find it in the context menu) Winamp Lite
does not catch the exception and crashes too.
It's also possible to add a remote file to the playlist by clicking
on Add -> Add URL and inserting a URL like:
http://morph3us.org/security/pen-testing/winamp/a.m3u
These are the register values and the ASM dump at the time of the stack
overflow exception:
> eax=00000d64 ebx=0000025b ecx=00032b90 edx=7c91eb94 esi=00000000
> edi=000381c0 eip=0045ffe5 esp=00036b88 ebp=00036b90
>
> Function: winamp
> 0045ffba cc int 3
> 0045ffbb cc int 3
> 0045ffbc cc int 3
> 0045ffbd cc int 3
> 0045ffbe cc int 3
> 0045ffbf cc int 3
> 0045ffc0 3d00100000 cmp eax,0x1000
> 0045ffc5 730e jnb winamp+0x5ffd5 (0045ffd5)
> 0045ffc7 f7d8 neg eax
> 0045ffc9 03c4 add eax,esp
> 0045ffcb 83c004 add eax,0x4
> 0045ffce 8500 test [eax],eax
> 0045ffd0 94 xchg eax,esp
> 0045ffd1 8b00 mov eax,[eax]
> 0045ffd3 50 push eax
> 0045ffd4 c3 ret
> 0045ffd5 51 push ecx
> 0045ffd6 8d4c2408 lea ecx,[esp+0x8]
> 0045ffda 81e900100000 sub ecx,0x1000
> 0045ffe0 2d00100000 sub eax,0x1000
> FAULT ->0045ffe5 8501 test [ecx],eax
> ds:0023:00032b90=00000000
> 0045ffe7 3d00100000 cmp eax,0x1000
> 0045ffec 73ec jnb winamp+0x5ffda (0045ffda)
> 0045ffee 2bc8 sub ecx,eax
> 0045fff0 8bc4 mov eax,esp
> 0045fff2 8501 test [ecx],eax
> 0045fff4 8be1 mov esp,ecx
> 0045fff6 8b08 mov ecx,[eax]
> 0045fff8 8b4004 mov eax,[eax+0x4]
> 0045fffb 50 push eax
> 0045fffc c3 ret
> 0045fffd cc int 3
> 0045fffe cc int 3
> 0045ffff cc int 3
> 00460000 80f940 cmp cl,0x40
> 00460003 7316 jnb winamp+0x6001b (0046001b)
> 00460005 80f920 cmp cl,0x20
> 00460008 7306 jnb winamp+0x60010 (00460010)
> 0046000a 0fadd0 shrd eax,edx,cl
> 0046000d d3fa sar edx,cl
> 0046000f c3 ret
This bug does not seem to be exploitable.
o Disclosure Timeline:
====================
xx Jan 07 - Vulnerability discovered.
14 Apr 07 - Vendor contacted.
30 Jul 07 - Public release.
o Solution:
=========
There is no solution yet.
I sent a mail to support@winamp.com (I did not find a better contact
address) on April the 14th but did not receive an answer until now.
o Credits:
========
Thanks to destructor who originally spotted the bug and nait who analysed
the vulnerability.
Christian Deneke (nait)