首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Buffer Overflows in Winamp v5.5.8.2985
来源:aluigi.org 作者:Auriemma 发布时间:2010-10-14  

Source: http://aluigi.org/adv/winamp_1-adv.txt
#######################################################################

                             Luigi Auriemma

Application:  Winamp
              http://www.winamp.com
Versions:     <= 5.5.8.2985 (aka v5.581)
Platforms:    Windows
Bugs:         A] integer overflow in in_mkv
              B] integer overflow in in_nsv
              C] integer overflow in in_midi
              D] buffer-overflow in in_mod
Exploitation: remote, versus server
Date:         13 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp is one of the most diffused and appreciated media players for
Windows.


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] integer overflow in in_mkv
-----------------------------

The in_mkv plugin uses a particular function (address 077078c0) for
reading text strings from the Matroska containers.
The operations performed are the reading of the ebml numeric value
(64bit), the allocation of memory corresponding to that value (32bit)
plus 1 and the subsequent reading of the data from the file leading to
possible code execution:

  buff = malloc(size + 1);
  if(buff) fread(buff, 1, size, fd);


-----------------------------
B] integer overflow in in_nsv
-----------------------------

The in_nsv plugin is affected by an heap-overflow caused by the
function (address 077ca422) that first verifies the size of the
metadata string contained in the file adding 1 to it and then copies
0x1fffffff bytes in a heap buffer leading to possible code execution
(077C8577 CALL DWORD PTR DS:[EAX+8]):

  memcpy(heap_buffer, attacker_data, size >> 3);


------------------------------
C] integer overflow in in_midi
------------------------------

The in_midi plugin is affected by an heap overflow during the handling
of the hmp files (a format used in some old DOS games) where a
variable-length 32bit value is used for the copying of data with
memcpy() from the attacker's data to a heap buffer which has not been
reallocated for matching the needed size due to an integer overflow.
Doesn't seem possible to control the code execution.


----------------------------
D] buffer-overflow in in_mod
----------------------------

The in_mod plugin is affected by a stack overflow which happens during
the handling of a malformed MTM file but it's required that the user
manually clicks on the player for visualizing the detailed informations
of the track.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/winamp_1.zip
http://www.exploit-db.com/sploits/winamp_1_13Oct10.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle Solaris CVE-2010-3503 '
·e-kart (tr) Database Disclosur
·Oracle Virtual Server Agent Co
·postcard mentor (ing) (guncell
·Oracle Java APPLET Tag Childre
·Ease Jukebox v1.30 Denial of S
·Firefox 3.5.10 & 3.6.6 WMP Mem
·PCDJ Karaoki 0.6.3819 Denial o
·Oracle Java 6 OBJECT tag "laun
·Rocket Software UniData <= 7.2
·Acoustica BeatCraft v1.02 Buil
·IBM solidDB <= 6.5.0.3 Denial
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved