Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26599
HistoryJul 04, 2011 - 12:00 a.m.

Multiple vulnerabilities in Winamp 5.61

2011-07-0400:00:00
vulners.com
5
JSON

#######################################################################

                         Luigi Auriemma

Application: Winamp
http://www.winamp.com
Versions: <= 5.61
Platforms: Windows
Bugs: A] vp6 heap corruption
B] h263 heap corruption
C] nsvdec_vp5 frame heap overflow
D] nsvdec_vp6 frame integer overflow
E] nsvdec_vp3 frame heap overflow
F] in_mod heap corruption
Date: 27 Jun 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Winamp is one of the most diffused and appreciated media players for
Windows.

#######################################################################

=======
2) Bugs

A] vp6 heap corruption

The function 08607170 of vp6.w5s (base address 08600000) is used for
the FLV files encoded with the On2 TrueMotion VP6 codec and its job is
reading the big endian bitfields 1, 6, 1, 5 and 2
(http://wiki.multimedia.cx/index.php?title=On2_VP6&#41; and then initialize
and allocating the memory and the other stuff needed for decoding the
frames.

If the 4th field ("version") is below/equal than 8 then it allocates
the needed memory otherwise it returns a NULL which is correctly
handled by the caller function that sets even a result value to -1 but
it's completely ignored by the rest of the code:

086071BE |. 6A 05 PUSH 5
086071C0 |. 55 PUSH EBP
086071C1 |. E8 1AFFFFFF CALL vp6.086070E0 ; readbits 5
086071C6 |. 6A 02 PUSH 2
086071C8 |. 55 PUSH EBP
086071C9 |. 8886 24030000 MOV BYTE PTR DS:[ESI+324],AL ; bad: 9-31
086071CF |. E8 0CFFFFFF CALL vp6.086070E0 ; readbits 2
086071D4 |. 8886 25030000 MOV BYTE PTR DS:[ESI+325],AL
086071DA |. 8A86 24030000 MOV AL,BYTE PTR DS:[ESI+324]
086071E0 |. 83C4 10 ADD ESP,10
086071E3 |. 3C 08 CMP AL,8
086071E5 |. 76 08 JBE SHORT vp6.086071EF ; init
086071E7 |. 5F POP EDI
086071E8 |. 33C0 XOR EAX,EAX ; quit
086071EA |. 5D POP EBP
086071EB |. 83C4 18 ADD ESP,18
086071EE |. C3 RETN

So if that 4th field is greater than 8 it's possible to cause a heap
corruption and exploit the consequent write4 or controlloing the
registers with the data of the decoded frame.

B] h263 heap corruption

The problem is located in the inizialization of the frame for the h263
codec in FLV files (H263VIDEOPACKET) during the handling of the
CustomWidth and CustomHeight fields that will corrupt the data after
the allocated heap memory.
Exploitation may be possible but not so easily.

C] nsvdec_vp5 frame heap overflow

Classical heap overflow in nsvdec_vp5.dll caused by the setting of a
too small screen height with the consequent overflow during the
decompression of the frames.

D] nsvdec_vp6 frame integer overflow

Integer overflow caused by a multiplication that takes both the screen
width and height and uses them as signed 16bit values too.

E] nsvdec_vp3 frame heap overflow

Classical heap overflow in nsvdec_vp3.dll caused by the setting of a
too small screen width and height with the consequent overflow during
the decompression of the frames.
Note that in vp3 exists also an integer overflow like bug D but it's
not exploitable due to the memset with byte 0xff.

F] in_mod heap corruption

Heap corruption that causes problems during the freeing and reuse of
the memory through a modified number of samples in IT files.
No additional research has been performed.

Exploitation happens when the memory get freed so when the same or
another file is played or during the closing of Winamp.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/winamp_2.zip

Note the the provided proof-of-concept samples are just the original
files with some bytes modified, they have NOT been built from scratch
and are NOT optimized to demonstrate the classical possibility of code
execution (like registers set to 0x41414141 and so on).

A]
00000246 46 FE

B]
0000019A 80 FF
0000019B A0 FF
0000019C 00 FF
0000019D 86 FF
0000019E 11 91

C]
0000000E 80 01

C_]
0000001C 09 00
0000001D 08 00

D]
0000000C 80 FF
0000000D 02 FF
0000000E E0 01
0000000F 01 00

E]
0000000C 60 01
0000000D 01 00
0000000E F0 01

F]
00000024 17 09

#######################################################################

======
4) Fix

No fix.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON