-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #15    |    Jul 30th, 2007 |
 ---------------------------------------------------
| Vendor   | Nullsoft's Winamp (Lite)               |
| URL      | http://www.winamp.com/                 |
| Version  | <= 5.35                                |
| Risk     | Low (Denial Of Service)                |
 ---------------------------------------------------

o Description:
=============

Winamp is a proprietary media player for Windows systems. Visit
http://www.winamp.com/ for detailed information.

o Denial Of Service:
===================

The M3U file format allows it to include local and remote files by
simply specifing the path to the desired file. Furthermore Winamp does
not check if the M3U file to include is the currently processed M3U
file wherefore it's possible to force Winamp to recursively read a
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc00000fd).

You are able to simply test this bug yourself by creating a file named
'a.m3u' with the content 'a.m3u'. If you are using the standard version
of Winamp (not the Lite version) you just have to add the M3U file to
Winamp by for example simply dragging the file into the playlist.

The lite version catches the exception and exits if you add the
malformed M3U file to the playlist. If you use the "Enqueue in Winamp"
option (if configured you'll find it in the context menu) Winamp Lite
does not catch the exception and crashes too.

It's also possible to add a remote file to the playlist by clicking
on Add -> Add URL and inserting a URL like:
http://morph3us.org/security/pen-testing/winamp/a.m3u

These are the register values and the ASM dump at the time of the stack
overflow exception:
> eax=00000d64 ebx=0000025b ecx=00032b90 edx=7c91eb94 esi=00000000
> edi=000381c0 eip=0045ffe5 esp=00036b88 ebp=00036b90
>
> Function: winamp
>         0045ffba cc               int     3
>         0045ffbb cc               int     3
>         0045ffbc cc               int     3
>         0045ffbd cc               int     3
>         0045ffbe cc               int     3
>         0045ffbf cc               int     3
>         0045ffc0 3d00100000       cmp     eax,0x1000
>         0045ffc5 730e             jnb     winamp+0x5ffd5 (0045ffd5)
>         0045ffc7 f7d8             neg     eax
>         0045ffc9 03c4             add     eax,esp
>         0045ffcb 83c004           add     eax,0x4
>         0045ffce 8500             test    [eax],eax
>         0045ffd0 94               xchg    eax,esp
>         0045ffd1 8b00             mov     eax,[eax]
>         0045ffd3 50               push    eax
>         0045ffd4 c3               ret
>         0045ffd5 51               push    ecx
>         0045ffd6 8d4c2408         lea     ecx,[esp+0x8]
>         0045ffda 81e900100000     sub     ecx,0x1000
>         0045ffe0 2d00100000       sub     eax,0x1000
> FAULT ->0045ffe5 8501             test    [ecx],eax
>                                   ds:0023:00032b90=00000000
>         0045ffe7 3d00100000       cmp     eax,0x1000
>         0045ffec 73ec             jnb     winamp+0x5ffda (0045ffda)
>         0045ffee 2bc8             sub     ecx,eax
>         0045fff0 8bc4             mov     eax,esp
>         0045fff2 8501             test    [ecx],eax
>         0045fff4 8be1             mov     esp,ecx
>         0045fff6 8b08             mov     ecx,[eax]
>         0045fff8 8b4004           mov     eax,[eax+0x4]
>         0045fffb 50               push    eax
>         0045fffc c3               ret
>         0045fffd cc               int     3
>         0045fffe cc               int     3
>         0045ffff cc               int     3
>         00460000 80f940           cmp     cl,0x40
>         00460003 7316             jnb     winamp+0x6001b (0046001b)
>         00460005 80f920           cmp     cl,0x20
>         00460008 7306             jnb     winamp+0x60010 (00460010)
>         0046000a 0fadd0           shrd    eax,edx,cl
>         0046000d d3fa             sar     edx,cl
>         0046000f c3               ret

This bug does not seem to be exploitable.

o Disclosure Timeline:
=====================

xx Jan 07 - Vulnerability discovered.
14 Apr 07 - Vendor contacted.
30 Jul 07 - Public release.

o Solution:
==========

There is no solution yet.

I sent a mail to support@winamp.com (I did not find a better contact
address) on April the 14th but did not receive an answer until now.

o Credits:
=========

Thanks to destructor who originally spotted the bug and nait who analysed
the vulnerability.

Christian Deneke (nait) <bugtraq@deneke.biz>
http://www.deneke.biz/

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to..
 * cyrus-tc: how are the Paris chicks, bro?
 * fallout: let the 'curtain show' never end.. :oP
 * trappy: skill0r!1!!

.. echox, Killsystem, Neon, Rodnox and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20070730-winamp-5.35.txt

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: https://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFGrkFJkCo6/ctnOpYRA3VYAJ4y8nAzJNsN/JdyKeOBRjSiWUvUHACfZmc5
Xbi8XD2i4d4nKJZz6J2+kTk=
=H5FQ
-----END PGP SIGNATURE-----