SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Winamp Vendors:   Nullsoft
Winamp Can Be Crashed With a Malformed MP4 File
SecurityTracker Alert ID:  1012525
SecurityTracker URL:  http://securitytracker.com/id/1012525
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 15 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 5.07
Description:   A vulnerability was reported in Winamp. A remote user can cause the player to crash.

Alan M (b0f) reported that the player does not properly process '.mp4' and '.m4a' files. A remote user can use Winamp to edit the MP4 tags and insert arbitrary data into a tag. Then, when the target user opens the MP4 file, the player will crash.

This can be automated using a '.pls' playlist file that points to the specially crafted MP4 file.

It is also reported that a remote user can create a large file (of approximately 1 MB) containing arbitrary data and named with a '.nsv' or '.nsa' file extension. When the file is opened using Winamp, the player will consume all available CPU resources on the target system.

Impact:   A remote user can cause the player to crash or consume all available CPU resources on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.winamp.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Winamp 5.07 (latest version) Remote Crash + other stupid shizle




Winamp 5.07 (latest version) Remote Crash.
+ vuln to cause 100% cpu usage.

13/12/04

I. BACKGROUND

Winamp is a very popular windows audio 
and video player. It also has alot 
of other features and is used by 
millions of people across the world.


II. DESCRIPTION

VULN 1.

There is a vuln in winamp's handling of .mp4 
and .m4a files. Which when exploited can 
remotly crash the victims winamp.

The vuln lies in the .mp4 tagging system
which winamp uses.If you use winamps built
in feature to edit the tags on .mp4 or .m4a 
files and insert any data in there the next 
time the file is opened it will instantly
crash winamp.

now how to crash it remotly.

if we create a .pls file contaning the data

[playlist]
numberofentries=5
File1=http://b0f.pwp.blueyonder.co.uk/a.mp4
Title1=
Length5=-1
Version=2


and make a html page containing an iframe linking
to the .pls like.

<html>
<iframe src="http://b0f.pwp.blueyonder.co.uk/exp2.pls">

now if the victim clicks a link to a page like

http://b0f.pwp.blueyonder.co.uk/wexp3.htm

it will auto open up the .pls file and load the .mp4
file into winamp and crash it.

This could also be done with .m3u instead of .pls

VULN 2.

This one is simple if you create say a 1mb file
probably smaller filled with junk and name it
with either .nsv or .nsa file extension. 
When opened in winamp it will cause 100% cpu
usage. The bigger the size of the file the 
more it will probably slow down the system.


III. ANALYSIS

Vuln 1.
Successful exploitation allows remote attackers to 
crash the victims winamp.

Vuln 2.
Successful exploitation causes 100% cpu usage.

IV. DETECTION

This has been confirmed in the latest version of winamp
5.07 and probably vuln in earlier versions.


V. WORKAROUND

Don't open suspicous .mp4 .m4a .nsa or .nsv files or click untrusted links.


VI. VENDOR

The vendor has not been contacted.
Why bother ? one asks

VII. CREDIT

Alan M aka b0f
(b0fnet@yahoo.com)

P.S Buy Tupac - Loyal to the Game 
out 14/12/04

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC