Winamp 2.91 lets code execution through MIDI files
#######################################################################
Luigi Auriemma
Application: Winamp
http://www.winamp.com and http://classic.winamp.com
Versions: Winamp 2.91 using IN_MIDI.DLL 3.01
(Winamp 3 crashes but I have not found methods to execute
code)
Platforms: Windows
Bugs: Code execution through malformed MIDI files
Risk: medium/high (exploitation has some limits)
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Winamp is probably the most famous media player for Win32 systems.
It supports a great amount of media formats moreover because a lot of
users write plugins for this really cool program.
A funny anecdote about the bug I have found is that I found it almost 9
months ago (beginning of January 2003) but I thought it was nothing of
interesting and I forgot it on my hard-disk for a lot of time...
#######################################################################
======
2) Bug
======
Winamp 2.91 uses a default plugin called IN_MIDI.DLL used to play MIDI
files.
The versions prior and equal to the 3.01 of this plugin let an
attacker to execute code on a victim simply setting the "Track data
size" value of a MIDI file to 0xffffffff.
Example:
4 bytes MIDI Header "MThd"
4 bytes Header data size 00000006
2 bytes Format 0000
2 bytes Number of tracks 0001
2 bytes Divisions 0001
4 bytes Track Header "MTrk"
4 bytes Track data size ffffffff <--- bug
... "aaaaaaaaaaaaaaaaaaaaa..." <--- fun
An important thing (and also the only limit for the attacker) is that
doesn't exist only one method to exploit this vulnerability because
the effects change about how the user opens the file and what MIDI
device he use:
drag'n'drop, normal file opening, midiOut and DirectMusic.
Then another note is that the code execution doesn't happen ever in the
same moment that the file is opened or played, in fact it can happen
after the second exception or when you close Winamp (also these effects
depend by the 4 options before).
Winamp3 seems partially vulnerable but I have not found a method to
overwrite the return address or to pass my custom address to the
instructions flow.
#######################################################################
===========
3) The Code
===========
No exploit.
#######################################################################
======
4) Fix
======
Nullsoft has been contacted a lot of time for over one month but nobody
has given me an answer or has patched the MIDI plugin.
However the effects of the bug limit the exploitation so if you use
Winamp, simply play MIDI files with another player until a patch will
be released.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org