####################################################################### Luigi Auriemma Application: Winamp http://www.winamp.com Versions: <= 5.5.8.2985 (aka v5.581) Platforms: Windows Bugs: A] integer overflow in in_mkv B] integer overflow in in_nsv C] integer overflow in in_midi D] buffer-overflow in in_mod Exploitation: remote, versus server Date: 13 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Winamp is one of the most diffused and appreciated media players for Windows. ####################################################################### ======= 2) Bugs ======= ----------------------------- A] integer overflow in in_mkv ----------------------------- The in_mkv plugin uses a particular function (address 077078c0) for reading text strings from the Matroska containers. The operations performed are the reading of the ebml numeric value (64bit), the allocation of memory corresponding to that value (32bit) plus 1 and the subsequent reading of the data from the file leading to possible code execution: buff = malloc(size + 1); if(buff) fread(buff, 1, size, fd); ----------------------------- B] integer overflow in in_nsv ----------------------------- The in_nsv plugin is affected by an heap-overflow caused by the function (address 077ca422) that first verifies the size of the metadata string contained in the file adding 1 to it and then copies 0x1fffffff bytes in a heap buffer leading to possible code execution (077C8577 CALL DWORD PTR DS:[EAX+8]): memcpy(heap_buffer, attacker_data, size >> 3); ------------------------------ C] integer overflow in in_midi ------------------------------ The in_midi plugin is affected by an heap overflow during the handling of the hmp files (a format used in some old DOS games) where a variable-length 32bit value is used for the copying of data with memcpy() from the attacker's data to a heap buffer which has not been reallocated for matching the needed size due to an integer overflow. Doesn't seem possible to control the code execution. ---------------------------- D] buffer-overflow in in_mod ---------------------------- The in_mod plugin is affected by a stack overflow which happens during the handling of a malformed MTM file but it's required that the user manually clicks on the player for visualizing the detailed informations of the track. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/winamp_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################