AusCERT - ESB-2002.711 -- Foundstone Research Labs Advisory - FS2002-10 -- Multiple Exploitable Buffer Overflows in Winamp

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2002.711 -- Foundstone Research Labs Advisory - FS2002-10 -- Multiple Exploitable Buffer Overflows in Winamp
Date: 20 December 2002

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

       ESB-2002.711 -- Foundstone Research Labs Advisory - FS2002-10
              Multiple Exploitable Buffer Overflows in Winamp
                             20 December 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Winamp
Vendor:                 Foundstone
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- ----------------------------------------------------------------------
Foundstone Research Labs Advisory - FS2002-10

Advisory Name:	Multiple Exploitable Buffer Overflows in Winamp
 Release Date:	December 18, 2002
  Application:	Winamp 3.0 and Winamp 2.81
    Platforms:	Windows NT/2000/XP
     Severity:	Remote code execution
      Vendors:	Nullsoft (http://www.nullsoft.com)
      Authors:	Tony Bettini, Foundstone (tony.bettini@foundstone.com)
CVE Candidate:	CAN-2002-1176
		CAN-2002-1177
    Reference:	http://www.foundstone.com/advisories
- ----------------------------------------------------------------------

Overview:

One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two
buffer overflows exist in Winamp 3.0 (latest 3.x release). The
Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon
immediate loading of an MP3. The two Winamp 3.0 overflows are present
in Media Library's handling of the Artist and Album ID3v2 tags.

Detailed Description:

Winamp 2.81 Overflow

If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will
crash yielding privileges immediately upon loading the MP3.

Two Winamp 3.0 Media Library Overflows

If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist
and Album fields of the ID3v2 tag are displayed within the Media
Library window of Winamp3. An attacker could create a malicious MP3
file, that if loaded via the Media Library window, would compromise
the system and allow for remote code execution.

An attacker could create a malicious MP3 file that exploits either the
overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). For
either overflow to occur, the user has to attempt to load the MP3 file
from the Media Library by at least single clicking on either the MP3
via the Artist or Album window.

Vendor Response:

Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0 and
both are available at: http://www.winamp.com

Foundstone would like to thank Nullsoft for their cooperation with
the remediation of this vulnerability.

Solution:

For Winamp 2.81 users

We recommend either upgrading to Winamp 3.0 or redownloading Winamp 2.81
(which has since been fixed) from: http://www.winamp.com

For Winamp 3.0 users

Only Winamp 3.0 build #488 built on December 15, 2002 and later are not
vulnerable. We recommend if the About Winamp3 dialog box within
Winamp 3.0 displays a 3.0 release that has a lower build number than
488 or earlier date than Dec 15 2002, we recommend redownloading
Winamp 3.0 from: http://www.winamp.com

Disclaimer:

The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no event
shall the author or Foundstone be liable for any direct, indirect,
incidental, special, exemplary or consequential damages resulting from
the use or misuse of this information. This advisory may be
redistributed, provided that no fee is assigned and that the advisory
is not modified in any way.

About Foundstone Foundstone Inc. addresses the security and privacy
needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The company
has one of the most dominant security talent pools ever assembled,
including experts from Ernst & Young, KPMG, PricewaterhouseCoopers,
and the United States Defense Department. Foundstone executives and
consultants have authored nine books, including the international best
seller Hacking Exposed: Network Security Secrets & Solutions.
Foundstone is headquartered in Orange County, CA, and has offices in
New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.

Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPgLsQCh9+71yA2DNAQGemgP/cHvVDuZyJr2bXzI609A9fgX8AkYFTLG6
Z0mRAB+ItIKAQZ6srrMCnT1EpDkNBblxOXY69s1IOdB/2N7Y9CRZc8BpbI2dgJuY
MWJXU5a8CxCzhOs/XNQ1iI4BA+f2BDGD14TJk+8RB/Rd1UTTQl94q+G1ZUjYPleV
CowX9C+XWxs=
=ziMm
-----END PGP SIGNATURE-----