NGSSoftware Insight Security Research Advisory

Name: Nullsoft Winamp 'in_mod.dll' Heap Overflow
Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older
                  versions, although this is not confirmed)
Severity: High Risk
Vendor URL: http://www.winamp.com/
Author: Peter Winter-Smith [ peter@ngssoftware.com ]
Date Vendor Notified: 20th Feb 2004
Date of Public Advisory: 5th April 2004
Advisory number: #NISR05042004
Advisory URL: http://www.ngssoftware.com/advisories/winampheap.txt

Description
***********

Winamp is one of the world's most popular pieces of software for playing
digital media. It supports in excess of 30 file types and boasts a huge
dedicated community backing it with almost 20,000 skins and over 461
additional components. To date CNET's download.com alone reports more than
31,000,000 downloads of Winamp versions 2.91 to 5.02.

Details
*******

Due to a lack of boundary checking within the code responsible for loading
Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in
'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap memory
and reliably cause an access violation within the ntdll.RtlAllocateHeap()
function. When properly exploited this allows an attacker to write any value
to a memory location of their choosing. In doing so, the attacker can gain
control of winamp's flow of execution to run arbitrary code. This code will
run in the security context of the logged on user.

NGSS researchers have proven that code execution is possible and that the
malicious media file can be activated remotely simply by rendering a
specially crafted html document.

It has also been discovered that the malicious file does not necessarily
need to bear the extension '.xm'. This is due to the fact that 'in_mod.dll'
will automatically determine which type of mod media file has been opened by
performing certain tests on the file before attempting to load it. The
testing is performed by passing the file through all the available loaders
to see if one is able to handle it.

As a result of this the malicious file can have the extension of any of the
supported module file types associated with the loaders in 'in_mod.dll' and
still produce the same effect.

Fix Information
***************

Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses
the security issue discussed in this advisory. It can be obtained the
official website:

http://www.winamp.com/player/

To determine which version of Winamp you are currently using, load the
player, right-click the main window and select the top-most menu item,
'Nullsoft Winamp...'.

In the new window which loads make sure that the 'Winamp' tab is selected
and look for the copyright information, underneath this should be the
version information.

If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or older,
it is highly recommended that you update as soon as possible.

If for some reason it is impossible to download the updated version of
Winamp, the vendor has informed NGSS that it is possible to disable the
handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to
'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to
the right of the loaders list.

5. Close all of the option windows and return to the main player.

About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com