#######################################################################

                             Luigi Auriemma

Application: Winamp
             http://www.winamp.com and http://classic.winamp.com
Versions:    Winamp 2.91 using IN_MIDI.DLL 3.01
             (Winamp 3 crashes but I have not found methods to execute
             code)
Platforms:   Windows
Bugs:        Code execution through malformed MIDI files
Date:        08 Sep 2003
Author:      Luigi Auriemma
             e-mail: aluigi@autistici.org
             web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp is probably the most famous media player for Win32 systems.
It supports a great amount of media formats moreover because a lot of
users write plugins for this really cool program.


A funny anecdote about the bug I have found is that I found it almost 9
months ago (beginning of January 2003) but I thought it was nothing of
interesting and I forgot it on my hard-disk for a lot of time...


#######################################################################

======
2) Bug
======


Winamp 2.91 uses a default plugin called IN_MIDI.DLL used to play MIDI
files.
The versions prior and equal to the 3.01 of this plugin let an
attacker to execute code on a victim simply setting the "Track data
size" value of a MIDI file to 0xffffffff.

Example:


4 bytes  MIDI Header       "MThd"
4 bytes  Header data size  00000006
2 bytes  Format            0000
2 bytes  Number of tracks  0001
2 bytes  Divisions         0001
4 bytes  Track Header      "MTrk"
4 bytes  Track data size   ffffffff  <---  bug
...      "aaaaaaaaaaaaaaaaaaaaa..."  <---  fun


An important thing (and also the only limit for the attacker) is that
doesn't exist only one method to exploit this vulnerability because
the effects change about how the user opens the file and what MIDI
device he use:

drag'n'drop, normal file opening, midiOut and DirectMusic.

Then another note is that the code execution doesn't happen ever in the
same moment that the file is opened or played, in fact it can happen
after the second exception or when you close Winamp (also these effects
depend by the 4 options before).


Winamp3 seems partially vulnerable but I have not found a method to
overwrite the return address or to pass my custom address to the
instructions flow.


#######################################################################


===========
3) The Code
===========


No exploit.


#######################################################################

======
4) Fix
======


Nullsoft has been contacted a lot of time for over one month but nobody
has given me an answer or has patched the MIDI plugin.

However the effects of the bug limit the exploitation so if you use
Winamp, simply play MIDI files with another player until a patch will
be released.


#######################################################################