LSS Security Advisory #LSS-2005-07-14 http://security.lss.hr Title: Winamp remote buffer overflow vulnerability Advisory ID: LSS-2005-07-14 Date: 2005-07-14 Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-07-14 Impact: Remote and local code execution Risk Level: High Vulnerability Type: Remote and local Vendors Status: Vendor was contacted on 22. Juny, 2005 ==[ Overview Winamp is a skinnable, multi-format, freeware audio player made by Nullsoft. It is available for free download from http://www.winamp.com/. Due to its popularity, winamp has got into "Hall of Fame" on CNET's www.download.com. The vulnerability described in this advisory could be used to spread malicious code such as a virus within mp3 files, which are commonly very trusted. ==[ Vulnerability Winamp is vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. To exploit this vulnerability, a user has to add malformed mp3 file to the Winamp playlist, and play it. When playing mp3 file is finished, playlist is updated, and if some part of the ID3v2 tag (e.g. ARTIST or TITLE) is too long, it is possible to overflow value that is later used as the source address in the strcpy() function. The strcpy() call can overflow a value (in the DATA segment) that will later, in jump instruction, point code execution to some attacker-supplied buffer, where malicious code can be executed. Before it is possible to overflow important value in the DATA segment, a simple "sanity check" has to be passed. In the next piece of asm code, we control the EAX register (because of the first overflow), and after returning from the function, that EAX is used as source address for strcpy(). This "sanity check" code will test if there is a value 0x00000001 (ECX) in memory on offset 0x9B4 from EAX address. If that condition is true, then after returning from the function, the same EAX content will be used as the source address in strcpy(). If the condition is false, EAX is set to a value that is located on offset 0x9B8 from current EAX register address, and the program will jump to the begining of the loop. -------------------------------------------------------- 004371FA /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 004371FE |> 85C0 /TEST EAX,EAX 00437200 |. 74 14 |JE SHORT Winamp.00437216 00437202 |. 8B88 B4090000 |MOV ECX,DWORD PTR DS:[EAX+9B4] 00437208 |. 3B4C24 08 |CMP ECX,DWORD PTR SS:[ESP+8] 0043720C |. 74 0D |JE SHORT Winamp.0043721B 0043720E |. 8B80 B8090000 |MOV EAX,DWORD PTR DS:[EAX+9B8] 00437214 |.^EB E8 \JMP SHORT Winamp.004371FE 00437216 |> B8 DC124600 MOV EAX,Winamp.004612DC ; ASCII "No Entry" 0043721B \> C3 RETN -------------------------------------------------------- Here is that asm code roughly reversed: -------------------------------------------------------- char *check (char *arg, int val) // val = 0x00000001 { while (arg != NULL) { if (*((int*)&arg[2484]) == val) // 0x9b4 = dec. 2484 return arg; else arg = (char*)*((long*)&arg[2488]); // 0x9b8 = dec. 2488 } arg = "No Entry"; return arg; } -------------------------------------------------------- To bypass that check, EAX (arg) has to be set to the address of string buffer where on address EAX+9B4 is value 0x00000001 (val), and that string has to be still long enough to overflow onto the "jump address". The string needs to be at least 284 bytes long to overflow onto the "jump address" in the DATA segment. The ID3v2 data resides in the DATA segment (that is static), and there are a lot of 0x00000001 values in it, so it is possible to determine a static address that will work every time for some Winamp and Windows versions. Due to the fact that if condition EAX+9B4=0x00000001 isn't met, EAX is set to value at address EAX+9B8 and condition would be tested again, maybe it is even possible to create some brute-force buffer(s) that will "scan" the memory for 0x00000001, but this is purely theoretical, and probably unlikely. When the "sanity check" is bypassed, strcpy() will be executed, and the "jump address" will be overflowed. That strcpy() code is presented below. -------------------------------------------------------- 00438D59 |. 50 PUSH EAX ; /src = "FFFFFFFFFFFFFFFFFFFF..." 00438D5A |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |dest 00438D5D |. E8 60D20100 CALL ; \strcpy -------------------------------------------------------- The destination address for strcpy() is 280 bytes away from the "jump address" that has to be overflowed to redirect code execution. In this particular example, it is 0x00470D40. After that is done, next piece of code will take the overflowed "jump address" from address 0x00470E58 and point code execution onto it. -------------------------------------------------------- 0041D440 /$ A1 580E4700 MOV EAX,DWORD PTR DS:[470E58] 0041D445 |. 85C0 TEST EAX,EAX 0041D447 |. 74 03 JE SHORT winamp.0041D44C 0041D449 |. FF60 48 JMP DWORD PTR DS:[EAX+48] <- 0wnZ Winamp 0041D44C \> C3 RETN -------------------------------------------------------- We have tried and managed to reliably exploit this vulnerability on Windows XP SP1 and windows 2000 SP0, with Winamp versions 5.03a, 5.09 and 5.091. It is important to say that this vulnerability is not easy to exploit, but with the help of static addresses from the DATA segment, it is possible to create reliable exploit. Beside, there are few possible exploitation vectors for this vulnerability, depending on what actions are performed by user on malformed mp3 file. For example - in version 5.03a, if the malformed mp3 file is added to the playlist with 'add-folder' option, it isn't needed to bypass the previously mentioned "sanity check". ==[ Affected Version The vulnerability was tested on Winamp versions 5.03a, 5.09 and 5.091. ==[ Fix A patched version should be soon available for download from www.winamp.com. Thanks to the winamp development team for good cooperation and a quick response. ==[ PoC Exploit PoC mp3 file can be downloaded at http://security.lss.hr/PoC/demo.mp3. ==[ Credits Credits for this vulnerability goes to Leon Juranic . ==[ LSS Security Contact LSS Security Team, WWW : http://security.lss.hr E-mail : security@LSS.hr Tel : +385 1 6129 775 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/