[security-alerts] FW: iDefense Security Advisory 02.01.06: Winamp m3u Parsing Stack OverflowVulnerability

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> Winamp m3u Parsing Stack Overflow Vulnerability
> 
> iDefense Security Advisory 02.01.06
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?id=377
> February 1, 2006
> 
> I. BACKGROUND
> 
> Winamp is a popular media player for Windows which supports many
> audio/video file formats.
> 
> More information can be obtained from the vendors site at:
> 
>  http://winamp.com/player/
> 
> II. DESCRIPTION
> 
> It has been found that a specially crafted m3u or pls file 
> can overwrite
> a stack based buffer allowing for remote code execution.
> 
> Example m3U file format:
> 
> #EXTM3U
> #EXTINF:,VULN
> AAAA[...]AA
> 
> Example pls file to trigger exploit:
> 
> [playlist]
> numberofentries=1
> File1=\\01 01AAA[...]AAA
> 
> This vulnerability is specific to the 5.11 version of Winamp and does
> not affect previous versions.
> 
> III. ANALYSIS
> 
> When Winamp is installed it registers the m3u extension so that such
> files  will automatically open in Winamp. This exploit can be 
> triggered
> by  clicking on a link in a webpage, or from the use of malicious
> javascript.
> 
> Exploitation is straight forward, using a long full path. This path
> can be either a filename or the UNC name for a fileshare, which does
> not have to exist.
> 
> Public exploit code has been independently released for this
> vulnerability (http://www.spyinstructors.com).
> 
> IV. DETECTION
> 
> This exploit was tested with version 5.11 of Winamp. Previous versions
> were tested and found to not be exploitable.
> 
> V. WORKAROUND
> 
> Removing the file associations for the m3u and pls file extension may
> mitigate the risk of exploitation.
> 
> VI. VENDOR RESPONSE
> 
> The vendor has not responded to communication regarding this
> vulnerability.
> 
> The vulnerability appears to have been silently fixed in Winamp 5.13
> which is available for download at:
> 
>   http://www.winamp.com/player/
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2006-0476 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/15/2005 Initial vendor notification
> 02/01/2006 Public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was independently discovered by Alan Mccaig (b0f)
> b0fnet@xxxxxxxxx and Ruben Santamarta (ruben@xxxxxxxxxxxxxxx).
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> Free tools, research and upcoming events
> http://labs.idefense.com
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than 
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> 
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
>