<<< Date Index >>>     <<< Thread Index >>>

Re: Winamp - Buffer Overflow In IN_CDDA.dll



In-Reply-To: <KFEMINDBKGBEMHACCJHCKEFCFDAA.brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>

Hello,

In my opinion the bug can't be exploited. I analized it in the debugger and 
found out that the address of the malicious code that is supposed to be 
executed has a NULL character. That means, that when we create the infected 
string in the .m3u file with the NULL char the malicious code won't be copied 
to the buffer as it would reside after the NULL char and the string would be 
cut.

In the proof of concept I found on the internet the shellcode address had no 
zeros and it is very strange for me.

I performed this check on WinXP SP1.

--------------
Black Dot

>Received: (qmail 28510 invoked from network); 23 Nov 2004 17:09:03 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 23 Nov 2004 17:09:03 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id F104314376E; Tue, 23 Nov 2004 09:55:33 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 24270 invoked from network); 22 Nov 2004 17:55:39 -0000
>Reply-To: <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
>From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
>To: "Bugtraq@Securityfocus. Com" <bugtraq@xxxxxxxxxxxxxxxxx>
>Subject: Winamp - Buffer Overflow In IN_CDDA.dll
>Date: Tue, 23 Nov 2004 13:13:56 +1300
>Message-ID: <KFEMINDBKGBEMHACCJHCKEFCFDAA.brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
>       charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>Importance: Normal
>X-OriginalArrivalTime: 23 Nov 2004 00:14:27.0242 (UTC) 
>FILETIME=[64F0E0A0:01C4D0F1]
>
>========================================================================
>= Winamp - Buffer Overflow In IN_CDDA.dll
>=
>= Vendor Update:  
>= http://www.winamp.com/player/
>=
>= Affected Software:
>=       Winamp 5.05 (only version tested)
>=
>= Public disclosure on November 23, 2004
>========================================================================
>
>== Overview ==
>
>In this time of responsible vulnerability disclosure, it's a little
>disturbing when a vendor acts on disclosed information but gives no
>recognition or even notification that an update has been created due to
>the information passed to them.
>
>This advisory is a little late, the update was posted to the vendor
>website last week. The only reason I know this, is because I asked and
>received a response.
>------------------------------------------------------------------------
>
>hi brett
>
>the problem was fixed in the lastest [sic] release of winamp.  
>version 5.06 went live on the site last thurday [sic].
>
>thanks
>
>jonathan ward
>
>------------------------------------------------------------------------
>
>But enough of that, we know the game and still choose to play.
>
>We discovered a remotely exploitable stack based buffer overflow in 
>winamp version 5.05. It is possible that earlier versions are also
>vulnerable and we recommend all users to upgrade to the latest version.
>
>The overflow can be caused in various ways, the most dangerous though is
>through a malformed .m3u playlist file. When hosted on a web site, these
>files will automatically downloaded and open in winamp without any user
>interaction. This is enough to cause the overflow that would allow a 
>malicious playlist to overwrite EIP and execute arbitrary code.
>
>== Exploitation ==
>
>When winamp opens the malformed playlist file, a first exception will 
>occur: 
>
>First Chance Exception in winamp.exe (IN_CDDA.DLL) : Access Violation
>At this location
>00A49BE8 88 4C 04 30          mov         byte ptr [esp+eax+30h],cl
>
>This exception will be handled by winamp, and execution will then 
>continue until it reaches the second exception at this location
>61616161   ???
>
>with the registers looking like;
>EAX = 0012A5D8 EBX = 0012C024
>ECX = 61616161 EDX = 77F96DAE
>ESI = 0012A600 EDI = 0046B9E0
>EIP = 61616161 ESP = 0012A540
>EBP = 0012A560 EFL = 00210246
>
>As can be seen, EIP has been overwritten with a value supplied through
>the malformed playlist file, 0x61616161 (aaaa) and since more playlist
>supplied data is located at the address pointed to by EDI, execution of
>malicious code is possible.
>
>== Solutions ==
>
>- Install the vendor supplied patch.
>
>== Credit ==
>
>Discovered and advised to Nullsoft October 14, 2004 by Brett Moore of
>Security-Assessment.com
>
>== About Security-Assessment.com ==
>
>Security-Assessment.com is a leader in intrusion testing and security
>code review, and leads the world with SA-ISO, online ISO17799 compliance
>management solution. Security-Assessment.com is committed to security
>research and development, and its team have previously identified a
>number of vulnerabilities in public and private software vendors products.
>
>######################################################################
>CONFIDENTIALITY NOTICE: 
>
>This message and any attachment(s) are confidential and proprietary. 
>They may also be privileged or otherwise protected from disclosure. If 
>you are not the intended recipient, advise the sender and delete this 
>message and any attachment from your system. If you are not the 
>intended recipient, you are not authorised to use or copy this message 
>or attachment or disclose the contents to any other person. Views 
>expressed are not necessarily endorsed by Security-Assessment.com 
>Limited. Please note that this communication does not designate an 
>information system for the purposes of the New Zealand Electronic 
>Transactions Act 2003.
>######################################################################
>