Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple vulnerabilities in Winamp 5.61
From: Luigi Auriemma <aluigi () autistici org>
Date: Wed, 29 Jun 2011 20:02:31 +0100

#######################################################################

                             Luigi Auriemma

Application:  Winamp
              http://www.winamp.com
Versions:     <= 5.61
Platforms:    Windows
Bugs:         A] vp6 heap corruption
              B] h263 heap corruption
              C] nsvdec_vp5 frame heap overflow
              D] nsvdec_vp6 frame integer overflow
              E] nsvdec_vp3 frame heap overflow
              F] in_mod heap corruption
Date:         27 Jun 2011
Author:       Luigi Auriemma
              e-mail: aluigi () autistici org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp is one of the most diffused and appreciated media players for
Windows.


#######################################################################

=======
2) Bugs
=======

----------------------
A] vp6 heap corruption
----------------------

The function 08607170 of vp6.w5s (base address 08600000) is used for
the FLV files encoded with the On2 TrueMotion VP6 codec and its job is
reading the big endian bitfields 1, 6, 1, 5 and 2
(http://wiki.multimedia.cx/index.php?title=On2_VP6) and then initialize
and allocating the memory and the other stuff needed for decoding the
frames.

If the 4th field ("version") is below/equal than 8 then it allocates
the needed memory otherwise it returns a NULL which is correctly
handled by the caller function that sets even a result value to -1 but
it's completely ignored by the rest of the code:

  086071BE  |. 6A 05          PUSH 5
  086071C0  |. 55             PUSH EBP
  086071C1  |. E8 1AFFFFFF    CALL vp6.086070E0             ; readbits 5
  086071C6  |. 6A 02          PUSH 2
  086071C8  |. 55             PUSH EBP
  086071C9  |. 8886 24030000  MOV BYTE PTR DS:[ESI+324],AL  ; bad: 9-31
  086071CF  |. E8 0CFFFFFF    CALL vp6.086070E0             ; readbits 2
  086071D4  |. 8886 25030000  MOV BYTE PTR DS:[ESI+325],AL
  086071DA  |. 8A86 24030000  MOV AL,BYTE PTR DS:[ESI+324]
  086071E0  |. 83C4 10        ADD ESP,10
  086071E3  |. 3C 08          CMP AL,8
  086071E5  |. 76 08          JBE SHORT vp6.086071EF        ; init
  086071E7  |. 5F             POP EDI
  086071E8  |. 33C0           XOR EAX,EAX                   ; quit
  086071EA  |. 5D             POP EBP
  086071EB  |. 83C4 18        ADD ESP,18
  086071EE  |. C3             RETN

So if that 4th field is greater than 8 it's possible to cause a heap
corruption and exploit the consequent write4 or controlloing the
registers with the data of the decoded frame.


-----------------------
B] h263 heap corruption
-----------------------

The problem is located in the inizialization of the frame for the h263
codec in FLV files (H263VIDEOPACKET) during the handling of the
CustomWidth and CustomHeight fields that will corrupt the data after
the allocated heap memory.
Exploitation may be possible but not so easily.


---------------------------------
C] nsvdec_vp5 frame heap overflow
---------------------------------

Classical heap overflow in nsvdec_vp5.dll caused by the setting of a
too small screen height with the consequent overflow during the
decompression of the frames.


------------------------------------
D] nsvdec_vp6 frame integer overflow
------------------------------------

Integer overflow caused by a multiplication that takes both the screen
width and height and uses them as signed 16bit values too.


---------------------------------
E] nsvdec_vp3 frame heap overflow
---------------------------------

Classical heap overflow in nsvdec_vp3.dll caused by the setting of a
too small screen width and height with the consequent overflow during
the decompression of the frames.
Note that in vp3 exists also an integer overflow like bug D but it's
not exploitable due to the memset with byte 0xff.


-------------------------
F] in_mod heap corruption
-------------------------

Heap corruption that causes problems during the freeing and reuse of
the memory through a modified number of samples in IT files.
No additional research has been performed.

Exploitation happens when the memory get freed so when the same or
another file is played or during the closing of Winamp.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/winamp_2.zip

Note the the provided proof-of-concept samples are just the original
files with some bytes modified, they have NOT been built from scratch
and are NOT optimized to demonstrate the classical possibility of code
execution (like registers set to 0x41414141 and so on).

A]
  00000246   46       FE

B]
  0000019A   80       FF
  0000019B   A0       FF
  0000019C   00       FF
  0000019D   86       FF
  0000019E   11       91

C]
  0000000E   80       01

C_]
  0000001C   09       00
  0000001D   08       00

D]
  0000000C   80       FF
  0000000D   02       FF
  0000000E   E0       01
  0000000F   01       00

E]
  0000000C   60       01
  0000000D   01       00
  0000000E   F0       01

F]
  00000024   17       09


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org


  By Date           By Thread  

Current thread:
  • Multiple vulnerabilities in Winamp 5.61 Luigi Auriemma (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault