Winamp M3U playlist parser buffer overflow security vulnerability

[pauli_ojanpera () HOTMAIL COM (Pauli Ojanpera)]

LEGAL NOTICE:
By reading this you do agree that life does not make
sense and it doesn't need to. You also agree to
wear a condom. You do agree to think about nature.
.. umm you also agree to GPL all software you've ever
written.

[Click here if you're under 18]

There is a buffer overflow security vulnerability in
Winamp's (http://www.winamp.com) M3U playlist parser.
The overflow happens when an M3U extension called "#EXTINF:" is being
handled. The size of the parameter
following that keyword is not checked.

Real world example:

--cut-here-and-paste-to-a-file-with-m3u-extension--
#EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf>
--cut here--

There should be at least 280 A's.

The overflow allows total control over ones computer.
For example one could embedd an M3U file to a web page
several ways:
- <A HREF="ATTACK.M3U">
- <BGSOUND SRC="ATTACK.M3U">
- <EMBED SRC="ATTACK.M3U">

I have tested the first one but I have Media Player
installed on this computer and my browser uses its
components for the latter two so I cannot confirm..

The only problem is some structure (FILE *?) after
the buffer because it has a zero in it and it must
not be crafted to successfully return from the function.
I had to apply some trial and error to get code executed.
Currently the code crafts Winamp's MOD file format support
until restarted (I presume so.. :-).

The attached .M3U file should crash Winamp at 0000:41414141. I've tested it
with Windows 98 and
Windows 95 with Winamp versions 2.62 and 2.64.

Thank you.. I might not be available too frequently
to answer your mail.. Have a nice life. Bye.

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

<HR NOSHADE>
<UL>
<LI>text/plain attachment: ATTACK.M3U
</UL>