Bugtraq mailing list archives
[BuHa-Security] Winamp 5.35 (Infinite) M3U File Inclusion DoS Vulnerability
From: bugtraq () morph3us org
Date: 31 Jul 2007 09:38:41 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #15 | Jul 30th, 2007 | --------------------------------------------------- | Vendor | Nullsoft's Winamp (Lite) | | URL | http://www.winamp.com/ | | Version | <= 5.35 | | Risk | Low (Denial Of Service) | --------------------------------------------------- o Description: ============= Winamp is a proprietary media player for Windows systems. Visit http://www.winamp.com/ for detailed information. o Denial Of Service: =================== The M3U file format allows it to include local and remote files by simply specifing the path to the desired file. Furthermore Winamp does not check if the M3U file to include is the currently processed M3U file wherefore it's possible to force Winamp to recursively read a certain M3U file. Winamp allocates memory by each iteration which leads to a stack overflow exception (0xc00000fd). You are able to simply test this bug yourself by creating a file named 'a.m3u' with the content 'a.m3u'. If you are using the standard version of Winamp (not the Lite version) you just have to add the M3U file to Winamp by for example simply dragging the file into the playlist. The lite version catches the exception and exits if you add the malformed M3U file to the playlist. If you use the "Enqueue in Winamp" option (if configured you'll find it in the context menu) Winamp Lite does not catch the exception and crashes too. It's also possible to add a remote file to the playlist by clicking on Add -> Add URL and inserting a URL like: http://morph3us.org/security/pen-testing/winamp/a.m3u These are the register values and the ASM dump at the time of the stack overflow exception:
eax=00000d64 ebx=0000025b ecx=00032b90 edx=7c91eb94 esi=00000000 edi=000381c0 eip=0045ffe5 esp=00036b88 ebp=00036b90 Function: winamp 0045ffba cc int 3 0045ffbb cc int 3 0045ffbc cc int 3 0045ffbd cc int 3 0045ffbe cc int 3 0045ffbf cc int 3 0045ffc0 3d00100000 cmp eax,0x1000 0045ffc5 730e jnb winamp+0x5ffd5 (0045ffd5) 0045ffc7 f7d8 neg eax 0045ffc9 03c4 add eax,esp 0045ffcb 83c004 add eax,0x4 0045ffce 8500 test [eax],eax 0045ffd0 94 xchg eax,esp 0045ffd1 8b00 mov eax,[eax] 0045ffd3 50 push eax 0045ffd4 c3 ret 0045ffd5 51 push ecx 0045ffd6 8d4c2408 lea ecx,[esp+0x8] 0045ffda 81e900100000 sub ecx,0x1000 0045ffe0 2d00100000 sub eax,0x1000 FAULT ->0045ffe5 8501 test [ecx],eax ds:0023:00032b90=00000000 0045ffe7 3d00100000 cmp eax,0x1000 0045ffec 73ec jnb winamp+0x5ffda (0045ffda) 0045ffee 2bc8 sub ecx,eax 0045fff0 8bc4 mov eax,esp 0045fff2 8501 test [ecx],eax 0045fff4 8be1 mov esp,ecx 0045fff6 8b08 mov ecx,[eax] 0045fff8 8b4004 mov eax,[eax+0x4] 0045fffb 50 push eax 0045fffc c3 ret 0045fffd cc int 3 0045fffe cc int 3 0045ffff cc int 3 00460000 80f940 cmp cl,0x40 00460003 7316 jnb winamp+0x6001b (0046001b) 00460005 80f920 cmp cl,0x20 00460008 7306 jnb winamp+0x60010 (00460010) 0046000a 0fadd0 shrd eax,edx,cl 0046000d d3fa sar edx,cl 0046000f c3 ret
This bug does not seem to be exploitable. o Disclosure Timeline: ===================== xx Jan 07 - Vulnerability discovered. 14 Apr 07 - Vendor contacted. 30 Jul 07 - Public release. o Solution: ========== There is no solution yet. I sent a mail to support () winamp com (I did not find a better contact address) on April the 14th but did not receive an answer until now. o Credits: ========= Thanks to destructor who originally spotted the bug and nait who analysed the vulnerability. Christian Deneke (nait) <bugtraq () deneke biz> http://www.deneke.biz/ Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq () morph3us org' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to.. * cyrus-tc: how are the Paris chicks, bro? * fallout: let the 'curtain show' never end.. :oP * trappy: skill0r!1!! .. echox, Killsystem, Neon, Rodnox and all members of BuHa. Advisory online: http://morph3us.org/advisories/20070730-winamp-5.35.txt - -- Don't you feel the power of CSS Layouts? BuHa-Security Community: https://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFGrkFJkCo6/ctnOpYRA3VYAJ4y8nAzJNsN/JdyKeOBRjSiWUvUHACfZmc5 Xbi8XD2i4d4nKJZz6J2+kTk= =H5FQ -----END PGP SIGNATURE-----
Current thread:
- [BuHa-Security] Winamp 5.35 (Infinite) M3U File Inclusion DoS Vulnerability bugtraq (Jul 31)