[security-alerts] FW: iDefense Security Advisory 02.01.06: Winamp m3u/pls .WMA ExtensionBuffer Overflow Vulnerability

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> Winamp m3u/pls .WMA Extension Buffer Overflow Vulnerability
> 
> iDefense Security Advisory 02.01.06
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?id=378
> February 1, 2006
> 
> I. BACKGROUND
> 
> Winamp is a popular media player for Windows which supports many
> audio/video file formats.
> 
> More information can be obtained from the vendors site at:
> 
>  http://winamp.com/player/
> 
> II. DESCRIPTION
> 
> It has been found that a specially crafted m3u or pls file with a
> target filename having the .wma extension can crash Winamp giving the
> attacker control over the EAX register.
> 
> Example m3U file format:
> 
> #EXTM3U
> #EXTINF:,VULN
> AAAA[...]AA.wma
> 
> Example pls file format:
> 
> [playlist]
> numberofentries=5
> File1=AAAA[...]AA.wma
> Title1=
> Length5=-1
> Version=2
> 
> III. ANALYSIS
> 
> When Winamp is installed it registers the m3u and pls 
> extensions so that
> such files  will automatically open in Winamp. This exploit can be
> triggered by clicking on a link in a web page, or through the use of
> malicious javascript.
> 
> The crash occurs in the Winamp module with the following instructions:
> 
> mov edx, [eax]
> call [edx+24]
> 
> The number of characters that can be inject is limited. With control
> of the EAX register injected into the above code, meaningful
> shellcode execution is possible.
> 
> IV. DETECTION
> 
> This vulnerability has been verified in version 5.094 of Winamp.
> 
> V. WORKAROUND
> 
> Removing the file mapping for m3u and pls files to Winamp should
> mitigate the risk of exploitation.
> 
> VI. VENDOR RESPONSE
> 
> The vendor has not responded to communication regarding this
> vulnerability.
> 
> The vulnerability appears to have been silently fixed in Winamp 5.11.
> Version 5.13 is now available for download at:
> 
>   http://www.winamp.com/player/
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2005-3188 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 10/12/2005 Initial vendor notification
> 02/01/2006 Coordinated public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was discovered by b0f.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> Free tools, research and upcoming events
> http://labs.idefense.com
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than 
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> 
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
>