Foundstone Research Labs Advisory - Multiple Exploitable Buffer Overflows in Winamp (fwd)
2002-12-19T00:00:00
ID SECURITYVULNS:DOC:3897 Type securityvulns Reporter Securityvulns Modified 2002-12-19T00:00:00
Description
Foundstone Research Labs Advisory - FS2002-10
Advisory Name: Multiple Exploitable Buffer Overflows in Winamp
Release Date: December 18, 2002
Application: Winamp 3.0 and Winamp 2.81
Platforms: Windows NT/2000/XP
Severity: Remote code execution
Vendors: Nullsoft (http://www.nullsoft.com)
Authors: Tony Bettini, Foundstone (tony.bettini@foundstone.com)
CVE Candidate: CAN-2002-1176
CAN-2002-1177
Reference: http://www.foundstone.com/advisories
Overview:
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two
buffer overflows exist in Winamp 3.0 (latest 3.x release). The
Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon
immediate loading of an MP3. The two Winamp 3.0 overflows are present
in Media Library's handling of the Artist and Album ID3v2 tags.
Detailed Description:
Winamp 2.81 Overflow
If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will
crash yielding privileges immediately upon loading the MP3.
Two Winamp 3.0 Media Library Overflows
If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist
and Album fields of the ID3v2 tag are displayed within the Media
Library window of Winamp3. An attacker could create a malicious MP3
file, that if loaded via the Media Library window, would compromise
the system and allow for remote code execution.
An attacker could create a malicious MP3 file that exploits either the
overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For
either overflow to occur, the user has to attempt to load the MP3 file
from the Media Library by at least single clicking on either the MP3
via the Artist or Album window.
Vendor Response:
Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and
both are available at: http://www.winamp.com
Foundstone would like to thank Nullsoft for their cooperation with
the remediation of this vulnerability.
Solution:
For Winamp 2.81 users
We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81
(which has since been fixed) from: http://www.winamp.com
For Winamp 3.0 users
Only Winamp 3.0 build #488 built on December 15, 2002 and later are not
vulnerable. We recommend if the About Winamp3 dialog box within
Winamp 3.0 displays a 3.0 release that has a lower build number than
488 or earlier date than Dec 15 2002, we recommend redownloading
Winamp 3.0 from: http://www.winamp.com
Disclaimer:
The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no event
shall the author or Foundstone be liable for any direct, indirect,
incidental, special, exemplary or consequential damages resulting from
the use or misuse of this information. This advisory may be
redistributed, provided that no fee is assigned and that the advisory
is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and privacy
needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The company
has one of the most dominant security talent pools ever assembled,
including experts from Ernst & Young, KPMG, PricewaterhouseCoopers,
and the United States Defense Department. Foundstone executives and
consultants have authored nine books, including the international best
seller Hacking Exposed: Network Security Secrets & Solutions.
Foundstone is headquartered in Orange County, CA, and has offices in
New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.
Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.
{"id": "SECURITYVULNS:DOC:3897", "bulletinFamily": "software", "title": "Foundstone Research Labs Advisory - Multiple Exploitable Buffer Overflows in Winamp (fwd)", "description": "----------------------------------------------------------------------\r\nFoundstone Research Labs Advisory - FS2002-10\r\n\r\nAdvisory Name: Multiple Exploitable Buffer Overflows in Winamp\r\n Release Date: December 18, 2002\r\n Application: Winamp 3.0 and Winamp 2.81\r\n Platforms: Windows NT/2000/XP\r\n Severity: Remote code execution\r\n Vendors: Nullsoft (http://www.nullsoft.com)\r\n Authors: Tony Bettini, Foundstone (tony.bettini@foundstone.com)\r\nCVE Candidate: CAN-2002-1176\r\n CAN-2002-1177\r\n Reference: http://www.foundstone.com/advisories\r\n----------------------------------------------------------------------\r\n\r\nOverview:\r\n\r\nOne buffer overflow exists in Winamp 2.81 (latest 2.x release) and two\r\nbuffer overflows exist in Winamp 3.0 (latest 3.x release). The\r\nWinamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon\r\nimmediate loading of an MP3. The two Winamp 3.0 overflows are present\r\nin Media Library's handling of the Artist and Album ID3v2 tags.\r\n\r\nDetailed Description:\r\n\r\nWinamp 2.81 Overflow\r\n\r\nIf a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will\r\ncrash yielding privileges immediately upon loading the MP3.\r\n\r\nTwo Winamp 3.0 Media Library Overflows\r\n\r\nIf an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist\r\nand Album fields of the ID3v2 tag are displayed within the Media\r\nLibrary window of Winamp3. An attacker could create a malicious MP3\r\nfile, that if loaded via the Media Library window, would compromise\r\nthe system and allow for remote code execution.\r\n\r\nAn attacker could create a malicious MP3 file that exploits either the\r\noverflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For\r\neither overflow to occur, the user has to attempt to load the MP3 file\r\nfrom the Media Library by at least single clicking on either the MP3\r\nvia the Artist or Album window.\r\n\r\nVendor Response:\r\n\r\nNullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and\r\nboth are available at: http://www.winamp.com\r\n\r\nFoundstone would like to thank Nullsoft for their cooperation with\r\nthe remediation of this vulnerability.\r\n\r\nSolution:\r\n\r\nFor Winamp 2.81 users\r\n\r\nWe recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81\r\n(which has since been fixed) from: http://www.winamp.com\r\n\r\nFor Winamp 3.0 users\r\n\r\nOnly Winamp 3.0 build #488 built on December 15, 2002 and later are not\r\nvulnerable. We recommend if the About Winamp3 dialog box within\r\nWinamp 3.0 displays a 3.0 release that has a lower build number than\r\n488 or earlier date than Dec 15 2002, we recommend redownloading\r\nWinamp 3.0 from: http://www.winamp.com\r\n\r\nDisclaimer:\r\n\r\nThe information contained in this advisory is copyright (c) 2002\r\nFoundstone, Inc. and is believed to be accurate at the time of\r\npublishing. However, no representation of any warranty is given,\r\nexpressed, or implied as to its accuracy or completeness. In no event\r\nshall the author or Foundstone be liable for any direct, indirect,\r\nincidental, special, exemplary or consequential damages resulting from\r\nthe use or misuse of this information. This advisory may be\r\nredistributed, provided that no fee is assigned and that the advisory\r\nis not modified in any way.\r\n\r\nAbout Foundstone Foundstone Inc. addresses the security and privacy\r\nneeds of Global 2000 companies with world-class Enterprise\r\nVulnerability Management Software, Managed Vulnerability Assessment\r\nServices, Professional Consulting and Education offerings. The company\r\nhas one of the most dominant security talent pools ever assembled,\r\nincluding experts from Ernst & Young, KPMG, PricewaterhouseCoopers,\r\nand the United States Defense Department. Foundstone executives and\r\nconsultants have authored nine books, including the international best\r\nseller Hacking Exposed: Network Security Secrets & Solutions.\r\nFoundstone is headquartered in Orange County, CA, and has offices in\r\nNew York, Washington, DC, San Antonio, and Seattle. For more\r\ninformation, visit www.foundstone.com or call 1-877-91-FOUND.\r\n\r\nCopyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.\r\n", "published": "2002-12-19T00:00:00", "modified": "2002-12-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3897", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2002-1176", "CVE-2002-1177"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:06", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-08-31T11:10:06", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1176", "CVE-2002-1177"]}, {"type": "osvdb", "idList": ["OSVDB:12027", "OSVDB:9837"]}], "modified": "2018-08-31T11:10:06", "rev": 2}, "vulnersScore": 6.2}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T05:19:07", "description": "Multiple buffer overflows in Winamp 3.0, when displaying an MP3 in the Media Library window, allows remote attackers to execute arbitrary code via an MP3 file containing a long (1) Artist or (2) Album ID3v2 tag.", "edition": 4, "cvss3": {}, "published": "2002-12-26T05:00:00", "title": "CVE-2002-1177", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2002-1177"], "modified": "2016-10-18T02:24:00", "cpe": ["cpe:/a:nullsoft:winamp:3.0"], "id": "CVE-2002-1177", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1177", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:nullsoft:winamp:3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:19:07", "description": "Buffer overflow in Winamp 2.81 allows remote attackers to execute arbitrary code via a long Artist ID3v2 tag in an MP3 file.", "edition": 4, "cvss3": {}, "published": "2002-12-26T05:00:00", "title": "CVE-2002-1176", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2002-1176"], "modified": "2016-10-18T02:24:00", "cpe": ["cpe:/a:nullsoft:winamp:2.81"], "id": "CVE-2002-1176", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1176", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:nullsoft:winamp:2.81:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2002-1177"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 9837](https://vulners.com/osvdb/OSVDB:9837)\nISS X-Force ID: 10891\n[CVE-2002-1177](https://vulners.com/cve/CVE-2002-1177)\nBugtraq ID: 6429\nBugtraq ID: 6430\n", "modified": "2002-12-18T00:00:00", "published": "2002-12-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12027", "id": "OSVDB:12027", "type": "osvdb", "title": "Winamp Media Library Window ID3v2 Multiple Tag Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2002-1176"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Winamp. The Artist ID3v2 tag fails to perform proper bounds checking resulting in a buffer overflow. By creating a malicious MP3 file, which would be loaded via the Media Library window, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 3.0 Build 488 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Winamp. The Artist ID3v2 tag fails to perform proper bounds checking resulting in a buffer overflow. By creating a malicious MP3 file, which would be loaded via the Media Library window, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.winamp.com/\nSecurity Tracker: 1005834\n[Secunia Advisory ID:7748](https://secuniaresearch.flexerasoftware.com/advisories/7748/)\nOther Advisory URL: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/advisories_template.htm%3Findexid%3D3\nISS X-Force ID: 10890\n[CVE-2002-1176](https://vulners.com/cve/CVE-2002-1176)\nBugtraq ID: 6428\n", "modified": "2002-12-18T00:00:00", "published": "2002-12-18T00:00:00", "id": "OSVDB:9837", "href": "https://vulners.com/osvdb/OSVDB:9837", "title": "Winamp MP3 File ID3v2 Artist Tag Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
