Twenty Year Anniversary

nullsoft-winamp-it_module-in_mod-adv.txt

nullsoft-winamp-it_module-in_mod-adv.txt
Posted Apr 8, 2007
Authored by Piotr Bania | Site piotrbania.com

AOL Nullsoft Winamp IT module IN_MOD.DLL suffers from a remote heap memory corruption vulnerability.

tags | advisory, remote
MD5 | a472984363a7ed6bc383af106aa1c4fd

nullsoft-winamp-it_module-in_mod-adv.txt

Change Mirror Download



AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com


Severity: Important - Potencial remote code execution.

Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
(on Windows XP SP1/SP2).


Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt




0. DISCLAIMER

Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.


I. BACKGROUND


AOL Nullsoft is the most popular multimedia player in the world.
in_mod.dll is a one of Winamp plugins.


II. DESCRIPTION


The problem takes place when Winamp is trying to play specially
crafted .IT file.

IT is the proprietary module format used by Impulse Tracker, featuring
support for more advanced features than MOD or S3M before it. These include
a larger limit for lines in a pattern, higher quality samples, and other
effects.


Take a look a this code snipet:

----// SNIP SNIP //-------------------------------------------------
.text:00E97BCA write_looop: ; CODE XREF: sub_E97976+29Dj
.text:00E97BCA mov edx, [ebp+6Ch+arg_0]
.text:00E97BCD mov ecx, [ebx+18h]
.text:00E97BD0 mov dx, [eax+edx*2]
.text:00E97BD4 mov [eax+ecx*2], dx
.text:00E97BD8 mov eax, [ebx+370h]
.text:00E97BDE mov ecx, [ebx+18h]
.text:00E97BE1 mov cx, [eax+ecx*2]
.text:00E97BE5 cmp cx, [esi+6Eh]
.text:00E97BE9 jnb short loc_E97C09
.text:00E97BEB mov al, [ebx+18h]
.text:00E97BEE mov ecx, [ebp+6Ch+arg_0]
.text:00E97BF1 mov [ecx+esi+148h], al ; BANG
.text:00E97BF8 mov eax, [ebx+370h]
.text:00E97BFE cmp word ptr [eax+ecx*2], 0FEh
.text:00E97C04 jnb short loc_E97C09
.text:00E97C06 inc dword ptr [ebx+18h]
.text:00E97C09
.text:00E97C09 loc_E97C09: ; CODE XREF: sub_E97976+273j
.text:00E97C09 ; sub_E97976+28Ej
.text:00E97C09 movzx ecx, word ptr [esi+68h] ; ecx=controlled value (from offset 0x20)
.text:00E97C0D inc [ebp+6Ch+arg_0]
.text:00E97C10 cmp [ebp+6Ch+arg_0], ecx
.text:00E97C13 jb short write_looop
----// SNIP SNIP //-------------------------------------------------


The memory is overwritten at 0x00E97BF1. The description of this disassembly
listing is pretty similiar to the one written in s3m module files advisory.
Due to my lazyness i will not repeat it again, whatsoever.



III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running AOL Nullsoft Winamp.


IV. VENDOR RESPONSE

Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
no effect, i got finally bored and i haven't notified them at all.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close