Search...

[CVE-2013-4695] WinAmp v5.63 gen_ff.dll links.xml Value Parsing Invalid Pointer Dereference

2013-07-08T00:00:00

ID SECURITYVULNS:DOC:29512
Type securityvulns
Reporter Securityvulns
Modified 2013-07-08T00:00:00

Description

Inshell Security Advisory http://www.inshell.net

1. ADVISORY INFORMATION

Product: WinAmp Vendor URL: www.winamp.com Type: Pointer Issues [CWE-465] Date found: 2013-06-05 Date published: 2013-07-01 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: CVE-2013-4695

2. CREDITS

This vulnerability was discovered and researched by Julien Ahrens from Inshell Security.

3. VERSIONS AFFECTED

WinAmp v5.63, older versions may be affected too.

4. VULNERABILITY DESCRIPTION

An invalid pointer dereference vulnerability has been identified in WinAmp v5.63.

The application loads the contents of the %APPDATA%\WinAmp\links.xml on startup (the key lngId="default") and while browsing through the bookmarks in the Browser view of the GUI, but does not properly validate the length of the string loaded from the "<link name>" and "<home url>" keys before using them in a pointer call in the library gen_ff.dll, which leads to a invalid pointer dereference condition with possible code execution.

An attacker needs to force the victim to place an arbitrary links.xml file into the target directory in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition.

5. PROOF-OF-CONCEPT (DEBUG)

Registers: EAX E85130FF ECX 00430043 winamp.00430043 EDX 00D1F5B4 EBX 00000000 ESP 00D1F598 EBP 00D1F5C4 ESI 023D3170 EDI 7C80934A kernel32.GetTickCount EIP 073D0EE1 gen_ff.073D0EE1 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDC000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

Stackview: ESP-20 > 00000000 ESP-1C > 00000100 ESP-18 > 00C1F444 ESP-14 > 7C9215F9 ntdll.7C9215F9 ESP-10 > 7C9215F9 ntdll.7C9215F9 ESP-C > 00385D58 ESP-8 > 00163700 ESP-4 > 7C9215F9 ntdll.7C9215F9 ESP ==> > 000000BE ESP+4 > 00D1F5B4 ESP+8 > 00D1F5A8 ESP+C > 00000003 ESP+10 > 00D1F5C0 ESP+14 > 00D1F5BC ESP+18 > 00D1F5B8 ESP+1C > 00D1FF14 ESP+20 > 00000900

Vulnerable code part (<link name>): .text:07363F47 push ebp .text:07363F48 mov ebp, esp .text:07363F4A push ecx .text:07363F4B push 1 .text:07363F4D lea edx, [ebp+var_4] .text:07363F50 push edx .text:07363F51 lea eax, [ebp+arg_4] .text:07363F54 push 0 .text:07363F56 push [ebp+arg_0] .text:07363F59 mov [ebp+var_4], eax .text:07363F5C mov eax, [ecx] .text:07363F5E call dword ptr [eax] .text:07363F60 leave .text:07363F61 retn 8

Vulnerable code part (<home url>): .text:073620F8 push ebp .text:073620F9 mov ebp, esp .text:073620FB mov eax, [ecx] .text:073620FD push 0 .text:073620FF push 0 .text:07362101 lea edx, [ebp+arg_0] .text:07362104 push edx .text:07362105 push [ebp+arg_0] .text:07362108 call dword ptr [eax] .text:0736210A test eax, eax .text:0736210C mov eax, [ebp+arg_0] .text:0736210F jnz short loc_7362114 .text:07362111 mov eax, [ebp+arg_4] .text:07362114 .text:07362114 loc_7362114: ; CODE XREF: sub_73620F8+17j .text:07362114 pop ebp .text:07362115 retn 8

6. SOLUTION

Update to latest version v5.64 or newer.

7. REPORT TIMELINE

2013-06-05: Discovery of the vulnerability 2013-06-06: Vendor acknowledgement of the issue 2013-06-11: Vendor provides custom build that includes a fix 2013-06-12: The issue is still exploitable 2013-06-12: Provided another PoC to clarify the way to exploit 2013-06-13: Vendor provides custom build that includes a fix 2013-06-14: Confirmation that the issue is fixed 2013-06-19: Vendor releases v5.64 which includes the fix 2013-07-01: Coordinated Disclosure

8. REFERENCES

http://security.inshell.net http://forums.winamp.com/showthread.php?t=364291

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:29512", "bulletinFamily": "software", "title": "[CVE-2013-4695] WinAmp v5.63 gen_ff.dll links.xml Value Parsing Invalid Pointer Dereference", "description": "\r\n\r\nInshell Security Advisory\r\nhttp://www.inshell.net\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n-----------------------\r\nProduct: WinAmp\r\nVendor URL: www.winamp.com\r\nType: Pointer Issues [CWE-465]\r\nDate found: 2013-06-05\r\nDate published: 2013-07-01\r\nCVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)\r\nCVE: CVE-2013-4695\r\n\r\n\r\n2. CREDITS\r\n----------\r\nThis vulnerability was discovered and researched by Julien Ahrens from\r\nInshell Security.\r\n\r\n\r\n3. VERSIONS AFFECTED\r\n--------------------\r\nWinAmp v5.63, older versions may be affected too.\r\n\r\n\r\n4. VULNERABILITY DESCRIPTION\r\n----------------------------\r\nAn invalid pointer dereference vulnerability has been identified in\r\nWinAmp v5.63.\r\n\r\nThe application loads the contents of the %APPDATA%\WinAmp\links.xml on\r\nstartup (the key lngId="default") and while browsing through the\r\nbookmarks in the Browser view of the GUI, but does not properly validate\r\nthe length of the string loaded from the "<link name>" and "<home url>"\r\nkeys before using them in a pointer call in the library gen_ff.dll,\r\nwhich leads to a invalid pointer dereference condition with possible\r\ncode execution.\r\n\r\nAn attacker needs to force the victim to place an arbitrary links.xml\r\nfile into the target directory in order to exploit the vulnerability.\r\nSuccessful exploits can allow attackers to execute arbitrary code with\r\nthe privileges of the user running the application. Failed exploits will\r\nresult in a denial-of-service condition.\r\n\r\n\r\n5. PROOF-OF-CONCEPT (DEBUG)\r\n---------------------------\r\nRegisters:\r\nEAX E85130FF\r\nECX 00430043 winamp.00430043\r\nEDX 00D1F5B4\r\nEBX 00000000\r\nESP 00D1F598\r\nEBP 00D1F5C4\r\nESI 023D3170\r\nEDI 7C80934A kernel32.GetTickCount\r\nEIP 073D0EE1 gen_ff.073D0EE1\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 1 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDC000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)\r\nST0 empty\r\nST1 empty\r\nST2 empty\r\nST3 empty\r\nST4 empty\r\nST5 empty\r\nST6 empty\r\nST7 empty\r\n 3 2 1 0 E S P U O Z D I\r\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n\r\nStackview:\r\nESP-20 > 00000000\r\nESP-1C > 00000100\r\nESP-18 > 00C1F444\r\nESP-14 > 7C9215F9 ntdll.7C9215F9\r\nESP-10 > 7C9215F9 ntdll.7C9215F9\r\nESP-C > 00385D58\r\nESP-8 > 00163700\r\nESP-4 > 7C9215F9 ntdll.7C9215F9\r\nESP ==> > 000000BE\r\nESP+4 > 00D1F5B4\r\nESP+8 > 00D1F5A8\r\nESP+C > 00000003\r\nESP+10 > 00D1F5C0\r\nESP+14 > 00D1F5BC\r\nESP+18 > 00D1F5B8\r\nESP+1C > 00D1FF14\r\nESP+20 > 00000900\r\n\r\nVulnerable code part (<link name>):\r\n.text:07363F47 push ebp\r\n.text:07363F48 mov ebp, esp\r\n.text:07363F4A push ecx\r\n.text:07363F4B push 1\r\n.text:07363F4D lea edx, [ebp+var_4]\r\n.text:07363F50 push edx\r\n.text:07363F51 lea eax, [ebp+arg_4]\r\n.text:07363F54 push 0\r\n.text:07363F56 push [ebp+arg_0]\r\n.text:07363F59 mov [ebp+var_4], eax\r\n.text:07363F5C mov eax, [ecx]\r\n.text:07363F5E call dword ptr [eax]\r\n.text:07363F60 leave\r\n.text:07363F61 retn 8\r\n\r\nVulnerable code part (<home url>):\r\n.text:073620F8 push ebp\r\n.text:073620F9 mov ebp, esp\r\n.text:073620FB mov eax, [ecx]\r\n.text:073620FD push 0\r\n.text:073620FF push 0\r\n.text:07362101 lea edx, [ebp+arg_0]\r\n.text:07362104 push edx\r\n.text:07362105 push [ebp+arg_0]\r\n.text:07362108 call dword ptr [eax]\r\n.text:0736210A test eax, eax\r\n.text:0736210C mov eax, [ebp+arg_0]\r\n.text:0736210F jnz short loc_7362114\r\n.text:07362111 mov eax, [ebp+arg_4]\r\n.text:07362114\r\n.text:07362114 loc_7362114: ; CODE XREF:\r\nsub_73620F8+17\u0018j\r\n.text:07362114 pop ebp\r\n.text:07362115 retn 8\r\n\r\n\r\n6. SOLUTION\r\n-----------\r\nUpdate to latest version v5.64 or newer.\r\n\r\n\r\n7. REPORT TIMELINE\r\n------------------\r\n2013-06-05: Discovery of the vulnerability\r\n2013-06-06: Vendor acknowledgement of the issue\r\n2013-06-11: Vendor provides custom build that includes a fix\r\n2013-06-12: The issue is still exploitable\r\n2013-06-12: Provided another PoC to clarify the way to exploit\r\n2013-06-13: Vendor provides custom build that includes a fix\r\n2013-06-14: Confirmation that the issue is fixed\r\n2013-06-19: Vendor releases v5.64 which includes the fix\r\n2013-07-01: Coordinated Disclosure\r\n\r\n\r\n8. REFERENCES\r\n-------------\r\nhttp://security.inshell.net\r\nhttp://forums.winamp.com/showthread.php?t=364291\r\n", "published": "2013-07-08T00:00:00", "modified": "2013-07-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29512", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2013-4695"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:48", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2018-08-31T11:10:48", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4695"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F2704C0985B3AA3487434D3538E7C5A3"]}, {"type": "exploitdb", "idList": ["EDB-ID:26557"]}, {"type": "seebug", "idList": ["SSV:80187"]}, {"type": "nessus", "idList": ["WINAMP_564.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13157"]}], "modified": "2018-08-31T11:10:48", "rev": 2}, "vulnersScore": 7.8}, "affectedSoftware": []}

{"cve": [{"lastseen": "2021-02-02T06:06:56", "description": "Winamp 5.63: Invalid Pointer Dereference leading to Arbitrary Code Execution", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-27T16:15:00", "title": "CVE-2013-4695", "type": "cve", "cwe": ["CWE-763"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4695"], "modified": "2020-01-04T14:57:00", "cpe": ["cpe:/a:winamp:winamp:5.63"], "id": "CVE-2013-4695", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4695", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:winamp:winamp:5.63:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T03:51:09", "description": "WinAmp 5.63 - Invalid Pointer Dereference. CVE-2013-4695. Dos exploit for windows platform", "published": "2013-07-02T00:00:00", "type": "exploitdb", "title": "WinAmp 5.63 - Invalid Pointer Dereference", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-4695"], "modified": "2013-07-02T00:00:00", "id": "EDB-ID:26557", "href": "https://www.exploit-db.com/exploits/26557/", "sourceData": "Inshell Security Advisory\r\nhttp://www.inshell.net\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n-----------------------\r\nProduct: WinAmp\r\nVendor URL: www.winamp.com\r\nType: Pointer Issues [CWE-465]\r\nDate found: 2013-06-05\r\nDate published: 2013-07-01\r\nCVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)\r\nCVE: CVE-2013-4695\r\n\r\n\r\n2. CREDITS\r\n----------\r\nThis vulnerability was discovered and researched by Julien Ahrens from\r\nInshell Security.\r\n\r\n\r\n3. VERSIONS AFFECTED\r\n--------------------\r\nWinAmp v5.63, older versions may be affected too.\r\n\r\n\r\n4. VULNERABILITY DESCRIPTION\r\n----------------------------\r\nAn invalid pointer dereference vulnerability has been identified in\r\nWinAmp v5.63.\r\n\r\nThe application loads the contents of the %APPDATA%\\WinAmp\\links.xml on\r\nstartup (the key lngId=\"default\") and while browsing through the\r\nbookmarks in the Browser view of the GUI, but does not properly validate\r\nthe length of the string loaded from the \"<link name>\" and \"<home url>\"\r\nkeys before using them in a pointer call in the library gen_ff.dll,\r\nwhich leads to a invalid pointer dereference condition with possible\r\ncode execution.\r\n\r\nAn attacker needs to force the victim to place an arbitrary links.xml\r\nfile into the target directory in order to exploit the vulnerability.\r\nSuccessful exploits can allow attackers to execute arbitrary code with\r\nthe privileges of the user running the application. Failed exploits will\r\nresult in a denial-of-service condition.\r\n\r\n\r\n5. PROOF-OF-CONCEPT (DEBUG)\r\n---------------------------\r\nRegisters:\r\nEAX E85130FF\r\nECX 00430043 winamp.00430043\r\nEDX 00D1F5B4\r\nEBX 00000000\r\nESP 00D1F598\r\nEBP 00D1F5C4\r\nESI 023D3170\r\nEDI 7C80934A kernel32.GetTickCount\r\nEIP 073D0EE1 gen_ff.073D0EE1\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 1 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDC000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)\r\nST0 empty\r\nST1 empty\r\nST2 empty\r\nST3 empty\r\nST4 empty\r\nST5 empty\r\nST6 empty\r\nST7 empty\r\n 3 2 1 0 E S P U O Z D I\r\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n\r\nStackview:\r\nESP-20 > 00000000\r\nESP-1C > 00000100\r\nESP-18 > 00C1F444\r\nESP-14 > 7C9215F9 ntdll.7C9215F9\r\nESP-10 > 7C9215F9 ntdll.7C9215F9\r\nESP-C > 00385D58\r\nESP-8 > 00163700\r\nESP-4 > 7C9215F9 ntdll.7C9215F9\r\nESP ==> > 000000BE\r\nESP+4 > 00D1F5B4\r\nESP+8 > 00D1F5A8\r\nESP+C > 00000003\r\nESP+10 > 00D1F5C0\r\nESP+14 > 00D1F5BC\r\nESP+18 > 00D1F5B8\r\nESP+1C > 00D1FF14\r\nESP+20 > 00000900\r\n\r\nVulnerable code part (<link name>):\r\n.text:07363F47 push ebp\r\n.text:07363F48 mov ebp, esp\r\n.text:07363F4A push ecx\r\n.text:07363F4B push 1\r\n.text:07363F4D lea edx, [ebp+var_4]\r\n.text:07363F50 push edx\r\n.text:07363F51 lea eax, [ebp+arg_4]\r\n.text:07363F54 push 0\r\n.text:07363F56 push [ebp+arg_0]\r\n.text:07363F59 mov [ebp+var_4], eax\r\n.text:07363F5C mov eax, [ecx]\r\n.text:07363F5E call dword ptr [eax]\r\n.text:07363F60 leave\r\n.text:07363F61 retn 8\r\n\r\nVulnerable code part (<home url>):\r\n.text:073620F8 push ebp\r\n.text:073620F9 mov ebp, esp\r\n.text:073620FB mov eax, [ecx]\r\n.text:073620FD push 0\r\n.text:073620FF push 0\r\n.text:07362101 lea edx, [ebp+arg_0]\r\n.text:07362104 push edx\r\n.text:07362105 push [ebp+arg_0]\r\n.text:07362108 call dword ptr [eax]\r\n.text:0736210A test eax, eax\r\n.text:0736210C mov eax, [ebp+arg_0]\r\n.text:0736210F jnz short loc_7362114\r\n.text:07362111 mov eax, [ebp+arg_4]\r\n.text:07362114\r\n.text:07362114 loc_7362114: ; CODE XREF:\r\nsub_73620F8+17\u0018j\r\n.text:07362114 pop ebp\r\n.text:07362115 retn 8\r\n\r\n\r\n6. SOLUTION\r\n-----------\r\nUpdate to latest version v5.64 or newer.\r\n\r\n\r\n7. REPORT TIMELINE\r\n------------------\r\n2013-06-05: Discovery of the vulnerability\r\n2013-06-06: Vendor acknowledgement of the issue\r\n2013-06-11: Vendor provides custom build that includes a fix\r\n2013-06-12: The issue is still exploitable\r\n2013-06-12: Provided another PoC to clarify the way to exploit\r\n2013-06-13: Vendor provides custom build that includes a fix\r\n2013-06-14: Confirmation that the issue is fixed\r\n2013-06-19: Vendor releases v5.64 which includes the fix\r\n2013-07-01: Coordinated Disclosure\r\n\r\n\r\n8. REFERENCES\r\n-------------\r\nhttp://security.inshell.net\r\nhttp://forums.winamp.com/showthread.php?t=364291", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/26557/"}], "exploitpack": [{"lastseen": "2020-04-01T19:05:05", "description": "\nWinamp 5.63 - Invalid Pointer Dereference", "edition": 1, "published": "2013-07-02T00:00:00", "title": "Winamp 5.63 - Invalid Pointer Dereference", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-4695"], "modified": "2013-07-02T00:00:00", "id": "EXPLOITPACK:F2704C0985B3AA3487434D3538E7C5A3", "href": "", "sourceData": "Inshell Security Advisory\nhttp://www.inshell.net\n\n\n1. ADVISORY INFORMATION\n-----------------------\nProduct: WinAmp\nVendor URL: www.winamp.com\nType: Pointer Issues [CWE-465]\nDate found: 2013-06-05\nDate published: 2013-07-01\nCVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)\nCVE: CVE-2013-4695\n\n\n2. CREDITS\n----------\nThis vulnerability was discovered and researched by Julien Ahrens from\nInshell Security.\n\n\n3. VERSIONS AFFECTED\n--------------------\nWinAmp v5.63, older versions may be affected too.\n\n\n4. VULNERABILITY DESCRIPTION\n----------------------------\nAn invalid pointer dereference vulnerability has been identified in\nWinAmp v5.63.\n\nThe application loads the contents of the %APPDATA%\\WinAmp\\links.xml on\nstartup (the key lngId=\"default\") and while browsing through the\nbookmarks in the Browser view of the GUI, but does not properly validate\nthe length of the string loaded from the \"<link name>\" and \"<home url>\"\nkeys before using them in a pointer call in the library gen_ff.dll,\nwhich leads to a invalid pointer dereference condition with possible\ncode execution.\n\nAn attacker needs to force the victim to place an arbitrary links.xml\nfile into the target directory in order to exploit the vulnerability.\nSuccessful exploits can allow attackers to execute arbitrary code with\nthe privileges of the user running the application. Failed exploits will\nresult in a denial-of-service condition.\n\n\n5. PROOF-OF-CONCEPT (DEBUG)\n---------------------------\nRegisters:\nEAX E85130FF\nECX 00430043 winamp.00430043\nEDX 00D1F5B4\nEBX 00000000\nESP 00D1F598\nEBP 00D1F5C4\nESI 023D3170\nEDI 7C80934A kernel32.GetTickCount\nEIP 073D0EE1 gen_ff.073D0EE1\nC 0 ES 0023 32bit 0(FFFFFFFF)\nP 1 CS 001B 32bit 0(FFFFFFFF)\nA 0 SS 0023 32bit 0(FFFFFFFF)\nZ 1 DS 0023 32bit 0(FFFFFFFF)\nS 0 FS 003B 32bit 7FFDC000(FFF)\nT 0 GS 0000 NULL\nD 0\nO 0 LastErr ERROR_SUCCESS (00000000)\nEFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)\nST0 empty\nST1 empty\nST2 empty\nST3 empty\nST4 empty\nST5 empty\nST6 empty\nST7 empty\n 3 2 1 0 E S P U O Z D I\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\n\nStackview:\nESP-20 > 00000000\nESP-1C > 00000100\nESP-18 > 00C1F444\nESP-14 > 7C9215F9 ntdll.7C9215F9\nESP-10 > 7C9215F9 ntdll.7C9215F9\nESP-C > 00385D58\nESP-8 > 00163700\nESP-4 > 7C9215F9 ntdll.7C9215F9\nESP ==> > 000000BE\nESP+4 > 00D1F5B4\nESP+8 > 00D1F5A8\nESP+C > 00000003\nESP+10 > 00D1F5C0\nESP+14 > 00D1F5BC\nESP+18 > 00D1F5B8\nESP+1C > 00D1FF14\nESP+20 > 00000900\n\nVulnerable code part (<link name>):\n.text:07363F47 push ebp\n.text:07363F48 mov ebp, esp\n.text:07363F4A push ecx\n.text:07363F4B push 1\n.text:07363F4D lea edx, [ebp+var_4]\n.text:07363F50 push edx\n.text:07363F51 lea eax, [ebp+arg_4]\n.text:07363F54 push 0\n.text:07363F56 push [ebp+arg_0]\n.text:07363F59 mov [ebp+var_4], eax\n.text:07363F5C mov eax, [ecx]\n.text:07363F5E call dword ptr [eax]\n.text:07363F60 leave\n.text:07363F61 retn 8\n\nVulnerable code part (<home url>):\n.text:073620F8 push ebp\n.text:073620F9 mov ebp, esp\n.text:073620FB mov eax, [ecx]\n.text:073620FD push 0\n.text:073620FF push 0\n.text:07362101 lea edx, [ebp+arg_0]\n.text:07362104 push edx\n.text:07362105 push [ebp+arg_0]\n.text:07362108 call dword ptr [eax]\n.text:0736210A test eax, eax\n.text:0736210C mov eax, [ebp+arg_0]\n.text:0736210F jnz short loc_7362114\n.text:07362111 mov eax, [ebp+arg_4]\n.text:07362114\n.text:07362114 loc_7362114: ; CODE XREF:\nsub_73620F8+17\u0018j\n.text:07362114 pop ebp\n.text:07362115 retn 8\n\n\n6. SOLUTION\n-----------\nUpdate to latest version v5.64 or newer.\n\n\n7. REPORT TIMELINE\n------------------\n2013-06-05: Discovery of the vulnerability\n2013-06-06: Vendor acknowledgement of the issue\n2013-06-11: Vendor provides custom build that includes a fix\n2013-06-12: The issue is still exploitable\n2013-06-12: Provided another PoC to clarify the way to exploit\n2013-06-13: Vendor provides custom build that includes a fix\n2013-06-14: Confirmation that the issue is fixed\n2013-06-19: Vendor releases v5.64 which includes the fix\n2013-07-01: Coordinated Disclosure\n\n\n8. REFERENCES\n-------------\nhttp://security.inshell.net\nhttp://forums.winamp.com/showthread.php?t=364291", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T14:17:53", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "WinAmp 5.63 - Invalid Pointer Dereference", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-4695"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-80187", "id": "SSV:80187", "sourceData": "\n Inshell Security Advisory\r\nhttp://www.inshell.net\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n-----------------------\r\nProduct: WinAmp\r\nVendor URL: www.winamp.com\r\nType: Pointer Issues [CWE-465]\r\nDate found: 2013-06-05\r\nDate published: 2013-07-01\r\nCVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)\r\nCVE: CVE-2013-4695\r\n\r\n\r\n2. CREDITS\r\n----------\r\nThis vulnerability was discovered and researched by Julien Ahrens from\r\nInshell Security.\r\n\r\n\r\n3. VERSIONS AFFECTED\r\n--------------------\r\nWinAmp v5.63, older versions may be affected too.\r\n\r\n\r\n4. VULNERABILITY DESCRIPTION\r\n----------------------------\r\nAn invalid pointer dereference vulnerability has been identified in\r\nWinAmp v5.63.\r\n\r\nThe application loads the contents of the %APPDATA%\\WinAmp\\links.xml on\r\nstartup (the key lngId="default") and while browsing through the\r\nbookmarks in the Browser view of the GUI, but does not properly validate\r\nthe length of the string loaded from the "<link name>" and "<home url>"\r\nkeys before using them in a pointer call in the library gen_ff.dll,\r\nwhich leads to a invalid pointer dereference condition with possible\r\ncode execution.\r\n\r\nAn attacker needs to force the victim to place an arbitrary links.xml\r\nfile into the target directory in order to exploit the vulnerability.\r\nSuccessful exploits can allow attackers to execute arbitrary code with\r\nthe privileges of the user running the application. Failed exploits will\r\nresult in a denial-of-service condition.\r\n\r\n\r\n5. PROOF-OF-CONCEPT (DEBUG)\r\n---------------------------\r\nRegisters:\r\nEAX E85130FF\r\nECX 00430043 winamp.00430043\r\nEDX 00D1F5B4\r\nEBX 00000000\r\nESP 00D1F598\r\nEBP 00D1F5C4\r\nESI 023D3170\r\nEDI 7C80934A kernel32.GetTickCount\r\nEIP 073D0EE1 gen_ff.073D0EE1\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 1 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDC000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)\r\nST0 empty\r\nST1 empty\r\nST2 empty\r\nST3 empty\r\nST4 empty\r\nST5 empty\r\nST6 empty\r\nST7 empty\r\n 3 2 1 0 E S P U O Z D I\r\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n\r\nStackview:\r\nESP-20 > 00000000\r\nESP-1C > 00000100\r\nESP-18 > 00C1F444\r\nESP-14 > 7C9215F9 ntdll.7C9215F9\r\nESP-10 > 7C9215F9 ntdll.7C9215F9\r\nESP-C > 00385D58\r\nESP-8 > 00163700\r\nESP-4 > 7C9215F9 ntdll.7C9215F9\r\nESP ==> > 000000BE\r\nESP+4 > 00D1F5B4\r\nESP+8 > 00D1F5A8\r\nESP+C > 00000003\r\nESP+10 > 00D1F5C0\r\nESP+14 > 00D1F5BC\r\nESP+18 > 00D1F5B8\r\nESP+1C > 00D1FF14\r\nESP+20 > 00000900\r\n\r\nVulnerable code part (<link name>):\r\n.text:07363F47 push ebp\r\n.text:07363F48 mov ebp, esp\r\n.text:07363F4A push ecx\r\n.text:07363F4B push 1\r\n.text:07363F4D lea edx, [ebp+var_4]\r\n.text:07363F50 push edx\r\n.text:07363F51 lea eax, [ebp+arg_4]\r\n.text:07363F54 push 0\r\n.text:07363F56 push [ebp+arg_0]\r\n.text:07363F59 mov [ebp+var_4], eax\r\n.text:07363F5C mov eax, [ecx]\r\n.text:07363F5E call dword ptr [eax]\r\n.text:07363F60 leave\r\n.text:07363F61 retn 8\r\n\r\nVulnerable code part (<home url>):\r\n.text:073620F8 push ebp\r\n.text:073620F9 mov ebp, esp\r\n.text:073620FB mov eax, [ecx]\r\n.text:073620FD push 0\r\n.text:073620FF push 0\r\n.text:07362101 lea edx, [ebp+arg_0]\r\n.text:07362104 push edx\r\n.text:07362105 push [ebp+arg_0]\r\n.text:07362108 call dword ptr [eax]\r\n.text:0736210A test eax, eax\r\n.text:0736210C mov eax, [ebp+arg_0]\r\n.text:0736210F jnz short loc_7362114\r\n.text:07362111 mov eax, [ebp+arg_4]\r\n.text:07362114\r\n.text:07362114 loc_7362114: ; CODE XREF:\r\nsub_73620F8+17j\r\n.text:07362114 pop ebp\r\n.text:07362115 retn 8\r\n\r\n\r\n6. SOLUTION\r\n-----------\r\nUpdate to latest version v5.64 or newer.\r\n\r\n\r\n7. REPORT TIMELINE\r\n------------------\r\n2013-06-05: Discovery of the vulnerability\r\n2013-06-06: Vendor acknowledgement of the issue\r\n2013-06-11: Vendor provides custom build that includes a fix\r\n2013-06-12: The issue is still exploitable\r\n2013-06-12: Provided another PoC to clarify the way to exploit\r\n2013-06-13: Vendor provides custom build that includes a fix\r\n2013-06-14: Confirmation that the issue is fixed\r\n2013-06-19: Vendor releases v5.64 which includes the fix\r\n2013-07-01: Coordinated Disclosure\r\n\r\n\r\n8. REFERENCES\r\n-------------\r\nhttp://security.inshell.net\r\nhttp://forums.winamp.com/showthread.php?t=364291\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-80187"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-4695", "CVE-2013-4694"], "description": "Buffer overflow, uninitialized pointer dereference.", "edition": 1, "modified": "2013-07-08T00:00:00", "published": "2013-07-08T00:00:00", "id": "SECURITYVULNS:VULN:13157", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13157", "title": "WinAmp security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-03-01T07:50:02", "description": "The remote host is running Winamp, a media player for Windows. \n\nThe version of Winamp installed on the remote host is earlier than 5.64\nand is, therefore, reportedly affected by the following \nvulnerabilities :\n\n - A buffer overflow exists in the 'ml_local.dll' when\n passed GUI search fields.\n\n - A buffer overflow exists in the 'gen_jumpex.dll' when\n handling Skins directory names.\n\n - Invalid pointer dereference vulnerabilities exist in\n the 'gen_ff.dll' library when loading the links.xml.\n\nSuccessful exploitation can allow arbitrary code execution.", "edition": 26, "published": "2013-07-09T00:00:00", "title": "Winamp < 5.64 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4695", "CVE-2013-4694"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:nullsoft:winamp"], "id": "WINAMP_564.NASL", "href": "https://www.tenable.com/plugins/nessus/67207", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67207);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-4694\", \"CVE-2013-4695\");\n script_bugtraq_id(60883, 60886);\n script_xref(name:\"EDB-ID\", value:\"26557\");\n script_xref(name:\"EDB-ID\", value:\"26558\");\n script_xref(name:\"EDB-ID\", value:\"27874\");\n\n script_name(english:\"Winamp < 5.64 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version number of Winamp\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a multimedia application that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Winamp, a media player for Windows. \n\nThe version of Winamp installed on the remote host is earlier than 5.64\nand is, therefore, reportedly affected by the following \nvulnerabilities :\n\n - A buffer overflow exists in the 'ml_local.dll' when\n passed GUI search fields.\n\n - A buffer overflow exists in the 'gen_jumpex.dll' when\n handling Skins directory names.\n\n - Invalid pointer dereference vulnerabilities exist in\n the 'gen_ff.dll' library when loading the links.xml.\n\nSuccessful exploitation can allow arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.inshell.net/advisory/51\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.inshell.net/advisory/52\");\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.winamp.com/showthread.php?t=364291\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.winamp.com/help/Version_History\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Winamp 5.64 (5.6.4.3418) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nullsoft:winamp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"winamp_in_cdda_buffer_overflow.nasl\");\n script_require_keys(\"SMB/Winamp/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Winamp/Version\");\npath = get_kb_item_or_exit(\"SMB/Winamp/Path\");\n\nfixed_version = \"5.6.4.3418\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Winamp\", version, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}