SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Winamp Vendors:   Nullsoft
Winamp Fasttracker 2 File 'in_mod.dll' Heap Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009660
SecurityTracker URL:  http://securitytracker.com/id/1009660
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.91 to 5.02
Description:   A heap overflow vulnerability was reported in Winamp in 'in_mod.dll'. A remote user can create media that will execute arbitrary code on the target user's system.

Peter Winter-Smith of NGSSoftware reported that a remote user can create a specially crafted Fasttracker 2 ('.xm') module media file that, when loaded by the target user, will trigger an overflow in the ntdll.RtlAllocateHeap() function and execute arbitrary code. The code will run with the privileges of the target user.

According to the report, this flaw can be triggered by viewing an HTML document (that references the malformed media file).

The report indicates that the malformed file does not need to have the '.xm' file extension.

The original advisory is available at:

http://www.ngssoftware.com/advisories/winampheap.txt

The vendor was reportedly notified on February 20, 2004.

Impact:   A remote user can create a media file that, when loaded by the target user, will execute arbitrary code on the target user's system with the privileges of the target user.
Solution:   The vendor has released a fixed version (5.03), available at:

http://www.winamp.com/player/

Also, a method for disabling the processing of Fasttracker 2 module files is provided in the Source Message.

Vendor URL:  www.winamp.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Nullsoft Winamp 'in_mod.dll' Heap Overflow


------=_NextPart_000_0003_01C41B1A.0595CEA0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

NGSSoftware Insight Security Research Advisory

 

Name: Nullsoft Winamp 'in_mod.dll' Heap Overflow

Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older

                  versions, although this is not confirmed)

Severity: High Risk

Vendor URL: http://www.winamp.com/

Author: Peter Winter-Smith [ peter@ngssoftware.com ]

Date Vendor Notified: 20th Feb 2004

Date of Public Advisory: 5th March 2004

Advisory number: #NISR05042004

Advisory URL: http://www.ngssoftware.com/advisories/winampheap.txt

 

Description

***********

 

Winamp is one of the world's most popular pieces of software for playing

digital media. It supports in excess of 30 file types and boasts a huge

dedicated community backing it with almost 20,000 skins and over 461

additional components. To date CNET's download.com alone reports more than

31,000,000 downloads of Winamp versions 2.91 to 5.02.

 

Details

*******

 

Due to a lack of boundary checking within the code responsible for loading

Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in

'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap memory

and reliably cause an access violation within the ntdll.RtlAllocateHeap()

function. When properly exploited this allows an attacker to write any value

to a memory location of their choosing. In doing so, the attacker can gain

control of winamp's flow of execution to run arbitrary code. This code will

run in the security context of the logged on user.

 

NGSS researchers have proven that code execution is possible and that the

malicious media file can be activated remotely simply by rendering a

specially crafted html document.

 

It has also been discovered that the malicious file does not necessarily

need to bear the extension '.xm'. This is due to the fact that 'in_mod.dll'

will automatically determine which type of mod media file has been opened by

performing certain tests on the file before attempting to load it. The

testing is performed by passing the file through all the available loaders

to see if one is able to handle it.

 

As a result of this the malicious file can have the extension of any of the

supported module file types associated with the loaders in 'in_mod.dll' and

still produce the same effect.

 

Fix Information

***************

 

Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses

the security issue discussed in this advisory. It can be obtained the

official website:

 

http://www.winamp.com/player/

 

To determine which version of Winamp you are currently using, load the

player, right-click the main window and select the top-most menu item,

'Nullsoft Winamp...'.

 

In the new window which loads make sure that the 'Winamp' tab is selected

and look for the copyright information, underneath this should be the

version information.

 

If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or older,

it is highly recommended that you update as soon as possible.

 

If for some reason it is impossible to download the updated version of

Winamp, the vendor has informed NGSS that it is possible to disable the

handling of Fasttracker 2 module files by taking the following steps:

 

1. Right click the Winamp player, go to 'Options' and then to

'Preferences...'.

 

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

 

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double

click it to bring up the 'Nullsoft Module Decoder Preferences' window.

 

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to

the right of the loaders list.

 

5. Close all of the option windows and return to the main player.

 

About NGSSoftware

*****************

 

NGSSoftware design, research and develop intelligent, advanced application

security assessment scanners. Based in the United Kingdom, NGSSoftware have

offices in the South of London and the East Coast of Scotland. NGSSoftware's

sister company NGSConsulting, offers best of breed security consulting

services, specialising in application, host and network security

assessments.

 

http://www.ngssoftware.com/

 

Telephone +44 208 401 0070

Fax +44 208 401 0076

 

enquiries@ngssoftware.com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.634 / Virus Database: 406 - Release Date: 18/03/2004
 

------=_NextPart_000_0003_01C41B1A.0595CEA0--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC