COMMAND

	Winamp multiple overflows in b4s-lists

SYSTEMS AFFECTED

	 All versions: up to v.3.0
	 Not vulnerable: all that doesn't support b4s-lists

PROBLEM

	In D4rkGr3y of Damage Hacking  Group  security  [http://www.dhgroup.org]
	advisory [bld #488] :
	
	WinAmp allows u to save your mp3-list to *.b4s-files. This is  something
	like *.m3u-lists, but b4s uses XML for it's work.  Here  is  example  of
	one b4s-file (# - comments):
	 
	<?xml version="1.0" encoding='UTF-8' standalone="yes"?>
	<WinampXML>
	<!-- Generated by: Nullsoft Winamp3 version 3.0 -->
	<playlist num_entries="[number_of_entries]" label="[playlist_name]"> #(1)
	
	#first entry
	 
	<entry Playstring="file:[patch_to_file]"> #(2)
	<Name>[name_of_the_song]</Name>
	<Length>[file_size_in_byts]</Lengt>
	</entry>
	
	#end of first entry
	 
	</playlist>
	</WinampXML>
	
	Now, lets talk about bugs.
	
	(1) if  [playlist_name]  will  be  longer  then  16580b,  ecx,  esi  and
	retaddr(!!) will be overwriten at addr 0x1007C340. So it's  possible  to
	execute arbitrary code with user's permisson.
	
	(2) buffer overflow in [patch_to_file]. I don't parse this problem,  but
	I realy think, that it's very serious too.
	
	(3) DoS. If [playlist_name] will include some cyrilic  (imho,  any  none
	English) letters, WinAmp will be crashed.
	
	(4) DOS Device bug. If [patch_to_file] will be "file:aux",  WinAmp  will
	be freezed.

SOLUTION

	Use m3u-lists :) & wait for new versions of WinAmp.