Foundstone Research Labs Advisory - FS2002-10
Advisory Name: Multiple Exploitable Buffer Overflows in Winamp Release Date: December 18, 2002 Application: Winamp 3.0 and Winamp 2.81 Platforms: Windows NT/2000/XP Severity: Remote code execution Vendors: Nullsoft (http://www.nullsoft.com) Authors: Tony Bettini, Foundstone (firstname.lastname@example.org) CVE Candidate: CAN-2002-1176 CAN-2002-1177 Reference: http://www.foundstone.com/advisories
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.
Winamp 2.81 Overflow
If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will crash yielding privileges immediately upon loading the MP3.
Two Winamp 3.0 Media Library Overflows
If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist and Album fields of the ID3v2 tag are displayed within the Media Library window of Winamp3. An attacker could create a malicious MP3 file, that if loaded via the Media Library window, would compromise the system and allow for remote code execution.
An attacker could create a malicious MP3 file that exploits either the overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For either overflow to occur, the user has to attempt to load the MP3 file from the Media Library by at least single clicking on either the MP3 via the Artist or Album window.
Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and both are available at: http://www.winamp.com
Foundstone would like to thank Nullsoft for their cooperation with the remediation of this vulnerability.
For Winamp 2.81 users
We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81 (which has since been fixed) from: http://www.winamp.com
For Winamp 3.0 users
Only Winamp 3.0 build #488 built on December 15, 2002 and later are not vulnerable. We recommend if the About Winamp3 dialog box within Winamp 3.0 displays a 3.0 release that has a lower build number than 488 or earlier date than Dec 15 2002, we recommend redownloading Winamp 3.0 from: http://www.winamp.com
The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing. However, no representation of any warranty is given, expressed, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and privacy needs of Global 2000 companies with world-class Enterprise Vulnerability Management Software, Managed Vulnerability Assessment Services, Professional Consulting and Education offerings. The company has one of the most dominant security talent pools ever assembled, including experts from Ernst & Young, KPMG, PricewaterhouseCoopers, and the United States Defense Department. Foundstone executives and consultants have authored nine books, including the international best seller Hacking Exposed: Network Security Secrets & Solutions. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, DC, San Antonio, and Seattle. For more information, visit www.foundstone.com or call 1-877-91-FOUND.
Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.