Summary
Winamp is "a skinnable, multi-format, freeware audio player made by Nullsoft".

The vulnerability discovered in Winamp's ID3v2 could be used to spread malicious code such as a virus within MP3 files, which are commonly very trusted.

Credit:
The original article can be found at: http://security.lss.hr/index.php?page=details&ID=LSS-2005-07-14
The information has been provided by Leon Juranic.

Details
Vulnerable Systems:
* Winamp version 5.03a
* Winamp version 5.09
* Winamp version 5.091

Winamp is vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. To exploit this vulnerability, a user has to add malformed mp3 file to the Winamp playlist, and play it. When playing mp3 file is finished, playlist is updated, and if some part of the ID3v2 tag (e.g. ARTIST or TITLE) is too long, it is possible to overflow value that is later used as the source address in the strcpy() function. The strcpy() call can overflow a value (in the DATA segment) that will later, in jump instruction, point code execution to some attacker-supplied buffer, where malicious code can be executed.

Before it is possible to overflow important value in the DATA segment, a simple "sanity check" has to be passed. In the next piece of asm code, we control the EAX register (because of the first overflow), and after returning from the function, that EAX is used as source address for strcpy().

This "sanity check" code will test if there is a value 0x00000001 (ECX) in memory on offset 0x9B4 from EAX address. If that condition is true, then after returning from the function, the same EAX content will be used as the source address in strcpy(). If the condition is false, EAX is set to a value that is located on offset 0x9B8 from current EAX register address, and the program will jump to the beginning of the loop.

--------------------------------------------------------004371FA /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]004371FE |> 85C0 /TEST EAX,EAX00437200 |. 74 14 |JE SHORT Winamp.0043721600437202 |. 8B88 B4090000 |MOV ECX,DWORD PTR DS:[EAX+9B4]00437208 |. 3B4C24 08 |CMP ECX,DWORD PTR SS:[ESP+8]0043720C |. 74 0D |JE SHORT Winamp.0043721B0043720E |. 8B80 B8090000 |MOV EAX,DWORD PTR DS:[EAX+9B8]00437214 |.^EB E8 \JMP SHORT Winamp.004371FE00437216 |> B8 DC124600 MOV EAX,Winamp.004612DC ; ASCII "No Entry"0043721B \> C3 RETN--------------------------------------------------------

Here is that asm code roughly reversed:
char *check (char *arg, int val) // val = 0x00000001
{
while (arg != NULL)
{
if (*((int*)&arg[2484]) == val) // 0x9b4 = dec. 2484
return arg;
else arg = (char*)*((long*)&arg[2488]); // 0x9b8 = dec. 2488
}
arg = "No Entry";
return arg;
}

To bypass that check, EAX (arg) has to be set to the address of string buffer where on address EAX+9B4 is value 0x00000001 (val), and that string has to be still long enough to overflow onto the "jump address". The string needs to be at least 284 bytes long to overflow onto the "jump address" in the DATA segment. The ID3v2 data resides in the DATA segment (that is static), and there are a lot of 0x00000001 values in it, so it is possible to determine a static address that will work every time for some Winamp and Windows versions.

Due to the fact that if condition EAX+9B4=0x00000001 isn't met, EAX is set to value at address EAX+9B8 and condition would be tested again, maybe it is even possible to create some brute-force buffer(s) that will "scan" the memory for 0x00000001, but this is purely theoretical, and probably unlikely.

When the "sanity check" is bypassed, strcpy() will be executed, and the "jump address" will be overflowed. That strcpy() code is presented below.

--------------------------------------------------------00438D59 |. 50 PUSH EAX ; /src = "FFFFFFFFFFFFFFFFFFFF..."00438D5A |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |dest00438D5D |. E8 60D20100 CALL <JMP.&MSVCRT.strcpy> ; \strcpy--------------------------------------------------------

The destination address for strcpy() is 280 bytes away from the "jump address" that has to be overflowed to redirect code execution. In this particular example, it is 0x00470D40.

After that is done, next piece of code will take the overflowed "jump address" from address 0x00470E58 and point code execution onto it.

--------------------------------------------------------0041D440 /$ A1 580E4700 MOV EAX,DWORD PTR DS:[470E58]0041D445 |. 85C0 TEST EAX,EAX0041D447 |. 74 03 JE SHORT winamp.0041D44C0041D449 |. FF60 48 JMP DWORD PTR DS:[EAX+48] <- 0wnZ Winamp0041D44C \> C3 RETN--------------------------------------------------------

Its possible to reliably exploit this vulnerability on Windows XP SP1 and windows 2000 SP0, with Winamp versions 5.03a, 5.09 and 5.091.

It is important to say that this vulnerability is not easy to exploit, but with the help of static addresses from the DATA segment, it is possible to create reliable exploit. Beside, there are few possible exploitation vectors for this vulnerability, depending on what actions are performed by user on malformed mp3 file. For example - in version 5.03a, if the malformed mp3 file is added to the playlist with 'add-folder' option, it isn't needed to bypass the previously mentioned "sanity check".