winamp7513.txt

`  
#######################################################################  
  
Luigi Auriemma  
  
Application: Winamp Web Interface  
http://www.flippet.org/wawi/  
Versions: <= 7.5.13  
Platforms: Windows (Winamp plugin)  
Bugs: A] buffer-overflow in FindBasicAuth  
B] browsing directory traversal  
C] buffer-overflow in the browse, download and load functions  
D] file extension check bypassing in file downloading  
E] lucky path name  
Exploitation: remote, only bug A doesn't require privileges  
Date: 10 Dec 2006  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
Winamp Web Interface (Wawi) is a nice open source plugin for Winamp  
(http://www.winamp.com) which allows the remote administration of the  
media player through any web browser.  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
  
-----------------------------------  
A] buffer-overflow in FindBasicAuth  
-----------------------------------  
  
FindBasicAuth() is the function located in security.cpp which parses  
the Authorization HTTP field of the client's request.  
Basically this function places, sequentially, the auth mode and base64  
strings containing the username:password fields in the temp buffer of  
only 100 bytes and then decodes this string using the userpass buffer  
ever of 100 bytes.  
The operation is made through the GetAString() function which limits  
the strings at 255 chars.  
  
In my tests doesn't seem possible to exploit the bug for executing  
remote code.  
This is the only vulnerability which doesn't require privileges for  
being exploited.  
  
  
-------------------------------  
B] browsing directory traversal  
-------------------------------  
  
The Browse() function located in browse.cpp is used for showing the  
available files in a specific folder within the root directory.  
The function (as all the others in the program) checks the path  
received by the client using the GoodPath() function which verifies if  
exist risks caused by sequential dots and backslashes (like \..\).  
  
The problem here is that slashes are correctly converted in backslashes  
before the calling of this function but the hex slashes %2f aren't  
allowing the browsing of any folder (files are limited by the  
extensions specified in the configuration) in the disk where is located  
the root directory.  
  
As already said only browsing is possible, not downloading.  
The attacker needs the "Browse" privilege for exploiting this bug.  
  
  
-------------------------------------------------------------  
C] buffer-overflow in the browse, download and load functions  
-------------------------------------------------------------  
  
The Browse(), CControl::Download() and CControl::Load() functions are  
affected by some buffer-overflow caused by the creation of a string  
containing the root directory plus the path string received from the  
client using a buffer of only MAX_PATH bytes (260, the same size of the  
client string).  
  
The attacker needs the required privileges related to the function he  
wants to exploit.  
  
  
-----------------------------------------------------  
D] file extension check bypassing in file downloading  
-----------------------------------------------------  
  
Wawi has also a check for allowing the dowloading of some types of  
files by the users with the "Download" permission.  
In the "Music Collections" section of the Wawi configuration we can  
find two switches for allowing the viewing or the downloading of the  
Winamp files and all the others.  
  
CControl::Download() calls the IsWinampFile() function for checking if  
the requested filename is supported by Winamp and then allows the  
downloading if the related option has been selected.  
  
A dot after the requested filename will allow an attacker with the  
"Download" privilege to download any file of any extension located in  
the root directory.  
  
Note: this is not really a bug of Wawi but I report it here since it's  
one of the rare cases in which it can be exploited maliciously.  
  
  
------------------  
E] lucky path name  
------------------  
  
Any of the functions used for handling the files (like browsing,  
loading, downloading and so on) requires a backslash before the path  
or file name, like http://localhost/browse?path=\  
If exists another folder or file which begins with the same name of the  
root directory is possible to use it instead of that of the  
configuration.  
  
For example if the root directory is c:\folder and the attacker use  
http://localhost/browse?path=2 he will browse c:\folder2 if it exists,  
or he can also download the file c:\folder2.mp3 ever if it exists.  
  
The required privileges (and the usual luck!) are needed for exploiting  
this bug.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
A] http://localhost/browse  
then insert an username longer than 100 chars  
  
B] http://localhost/browse?path=%2f..%2f..%2f  
  
C] http://localhost/dl?file=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  
  
D] http://localhost/dl?file=\file.txt.  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
This program is no longer supported.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.org  
http://mirror.aluigi.org  
`