Vulnerability

    WinAMP

Affected

    WinAMP 2.x

Description

    Wojtek Kaniewski  found following.   WinAMP is  a popular  Windows
    sound player with support for many file formats (MP3, wave  files,
    modules).   It  also  supports   MP3  streaming  (let's  call   it
    sh0utcast).   If we  tell WinAMP  to open  file location  (Ctrl+L)
    which is over  256 bytes long,  it'll produce nice  GPF.  The  bug
    also appears when loading playlists (.m3u and .pls)

    Many sh0utcast radios  place .pls files  on their websites,  which
    contain URL for radio's sh0utcast server.  If we'll make  b00m.pls
    file like this...

        [playlist]
        NumberOfEntries=1
        File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's)

    and put such link...

        <A HREF="b00m.pls">Techno explosion -- The Coolest MP3 Radio</A>

    on our website,  we can make  couple of WinAMPs  crash.  Guess  is
    that there's  a possibility  to put  our own  code in the filename
    (see cDc-351 for details).  This was tested on:

        WinAMP  v2.091          on Win95A and Win95B;
                v2.21           on Win98;
                v1.9? and v2.21 on WinNT 4.0WS

    It produced GPFs on all  except WinNT, where it opened  but simply
    didn't play.  On NT Server 4 with no Service Packs installed, this
    causes an application error (Cyrix MMX 233):

        Access Violation (0xc0000005), Address : 0x62626262

Solution

    Nullsoft (producer of WinAMP) has  been noticed about the bug  two
    versions ago.