Skip to content
cyberexploits
doswindowstext

Winamp 5.63 - Stack Based Buffer Overflow

Winamp 5.63 - Stack Based Buffer Overflow

Publié le 2013-07-02

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/dos/26558.txt7eac4c3a
raw
Inshell Security Advisory

http://www.inshell.net





1. ADVISORY INFORMATION

-----------------------

Product:        WinAmp

Vendor URL:     www.winamp.com

Type:           Stack-based Buffer Overflow [CWE-121]

Date found:     2013-06-05

Date published: 2013-07-01

CVSSv2 Score:   Bug #1: 7,5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

    Bug #2: 3,7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)

CVE:            CVE-2013-4694





2. CREDITS

----------

These vulnerabilities were discovered and researched by Julien Ahrens

from Inshell Security.





3. VERSIONS AFFECTED

--------------------

WinAmp v5.63, older versions may be affected too.





4. VULNERABILITY DESCRIPTION (BUG #1)

-------------------------------------

The application loads the directories in %PROGRAMFILES%\WinAmp\Skins on

startup to determine the skins that have been installed and to list them

in the application menu point "Skins" and in the Skins Browser. But the

application does not properly validate the length of the directory name

before passing it as argument to a lstrcpynW call in the library

gen_jumpex.dll, which leads to a buffer overflow condition with possible

code execution.



This flaw is also exploitable via the %APPDATA%\WinAmp\winamp.ini. The

application loads the contents on startup, but does not properly

validate the length of the string loaded from the "skin" key before

passing it as an argument to the same lstrcpynW call in the library

gen_jumpex.dll, which leads to the same buffer overflow condition.



An attacker either needs to trick the victim to download and apply an

arbitrary skin package in order to exploit the vulnerability or to copy

an arbitrary winamp.ini into the %APPDATA%\WinAmp directory. Successful

exploits can allow attackers to execute arbitrary code with the

privileges of the user running the application. Failed exploits will

result in a denial-of-service condition.





4. VULNERABILITY DESCRIPTION (BUG #2)

-------------------------------------

The application loads the string of the GUI "Search" field from the

"WinAmp Library" when entered by a user and after switching to another

menu point, but does not properly validate the length of the string

before passing it as an argument to a GetDlgItemTextW call in the

library ml_local.dll, which leads to a buffer overflow condition with

possible code execution.



An attacker needs local access to the client in order to exploit the

vulnerability. Successful exploits can allow attackers to execute

arbitrary code with the privileges of the user running the application.

Failed exploits will result in a denial-of-service condition.





5. PROOF-OF-CONCEPT (DEBUG) (Bug #1)

------------------------------------

Registers:

EAX 3B3C08EB

ECX 7C80BAFC kernel32.7C80BAFC

EDX 00430010 winamp.00430010

EBX 0000007E

ESP 00C1F290 UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCC"

EBP 00430043 winamp.00430043

ESI 001961E8

EDI 0000060B

EIP 00430060 winamp.00430060

C 0  ES 0023 32bit 0(FFFFFFFF)

P 1  CS 001B 32bit 0(FFFFFFFF)

A 0  SS 0023 32bit 0(FFFFFFFF)

Z 1  DS 0023 32bit 0(FFFFFFFF)

S 0  FS 003B 32bit 7FFDE000(FFF)

T 0  GS 0000 NULL

D 0

O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)

EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)

ST0 empty +NaN

ST1 empty

ST2 empty

ST3 empty

ST4 empty

ST5 empty

ST6 empty

ST7 empty

               3 2 1 0      E S P U O Z D I

FST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0  (LT)

FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1



Stackview:

ESP-20   > 00430043  CC  winamp.00430043

ESP-1C   > 0043004B  KC  winamp.0043004B

ESP-18   > 7C80BAFC      kernel32.7C80BAFC

ESP-14   > 00430043  CC  winamp.00430043

ESP-10   > 00430043  CC  winamp.00430043

ESP-C    > 00430043  CC  winamp.00430043

ESP-8    > 00430043  CC  winamp.00430043

ESP-4    > 00430043  CC  winamp.00430043

ESP ==>  > 00430043  CC  winamp.00430043

ESP+4    > 00430043  CC  winamp.00430043

ESP+8    > 00430043  CC  winamp.00430043

ESP+C    > 00430043  CC  winamp.00430043

ESP+10   > 00430043  CC  winamp.00430043

ESP+14   > 00430043  CC  winamp.00430043

ESP+18   > 00430043  CC  winamp.00430043

ESP+1C   > 00430043  CC  winamp.00430043

ESP+20   > 00430043  CC  winamp.00430043



Vulnerable code part:

.text:1001A5B8                 push    eax             ; lpString2

.text:1001A5B9                 lea     eax, [ebp+String1]

.text:1001A5BF                 push    eax             ; lpString1

.text:1001A5C0                 call    ds:lstrcpynW

.text:1001A5C6                 cmp     word ptr [ebp+wParam], si

.text:1001A5CD                 jnz     short loc_1001A5E2

.text:1001A5CF                 mov     dword_100310B4, 1

.text:1001A5D9                 cmp     [ebp+String1], si

.text:1001A5E0                 jz      short loc_1001A5E8

.text:1001A5E2

.text:1001A5E2 loc_1001A5E2:                           ; CODE XREF:

sub_1001A551+7Cj

.text:1001A5E2                 mov     dword_100310B4, esi

.text:1001A5E8

.text:1001A5E8 loc_1001A5E8:                           ; CODE XREF:

sub_1001A551+8Fj

.text:1001A5E8                 pop     esi

.text:1001A5E9                 leave

.text:1001A5EA                 retn

.text:1001A5EA sub_1001A551    endp





5. PROOF-OF-CONCEPT (DEBUG) (Bug #2)

------------------------------------

Registers:

EAX 00000000

ECX 079A9D68 ml_local.079A9D68

EDX 00380608

EBX 00000000

ESP 00C1E46C UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"

EBP 00430043 winamp.00430043

ESI 00000000

EDI 00000000

EIP 00430043 winamp.00430043

C 0  ES 0023 32bit 0(FFFFFFFF)

P 1  CS 001B 32bit 0(FFFFFFFF)

A 0  SS 0023 32bit 0(FFFFFFFF)

Z 1  DS 0023 32bit 0(FFFFFFFF)

S 0  FS 003B 32bit 7FFDE000(FFF)

T 0  GS 0000 NULL

D 0

O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)

EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)

ST0 empty

ST1 empty

ST2 empty

ST3 empty

ST4 empty

ST5 empty

ST6 empty

ST7 empty

               3 2 1 0      E S P U O Z D I

FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)

FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1



Stackview:

ESP-20   > 00430043  CC  winamp.00430043

ESP-1C   > 00430043  CC  winamp.00430043

ESP-18   > 00430043  CC  winamp.00430043

ESP-14   > 00430043  CC  winamp.00430043

ESP-10   > 00430043  CC  winamp.00430043

ESP-C    > 00430043  CC  winamp.00430043

ESP-8    > 00430043  CC  winamp.00430043

ESP-4    > 00430043  CC  winamp.00430043

ESP ==>  > 00430043  CC  winamp.00430043

ESP+4    > 00430043  CC  winamp.00430043

ESP+8    > 00430043  CC  winamp.00430043

ESP+C    > 00430043  CC  winamp.00430043

ESP+10   > 00430043  CC  winamp.00430043

ESP+14   > 00430043  CC  winamp.00430043

ESP+18   > 00430043  CC  winamp.00430043

ESP+1C   > 00430043  CC  winamp.00430043

ESP+20   > 00430043  CC  winamp.00430043



Vulnerable code part:

.text:07990871                 lea     eax, [ebp+WideCharStr]

.text:07990877                 push    eax             ; lpString

.text:07990878                 push    3EEh            ; nIDDlgItem

.text:0799087D                 push    [ebp+hDlg]      ; hDlg

.text:07990880                 call    ds:GetDlgItemTextW

.text:07990886                 lea     eax, [ebp+WideCharStr]

[...]

.text:0799097C                 mov     dword_79A9D68, eax

.text:07990981                 mov     dword_79A9D70, eax

.text:07990986                 mov     dword_79A9D6C, eax

.text:0799098B                 mov     dword_79ACB54, eax

.text:07990990                 pop     ebx

.text:07990991                 leave

.text:07990992                 retn





6. SOLUTION

-----------

Update to latest version v5.64 or newer.





7. REPORT TIMELINE

------------------

2013-06-05: Discovery of the vulnerability

2013-06-06: Vendor acknowledgement of the issue

2013-06-11: Vendor already fixed this issue in v5.7 Beta build 3403

2013-06-12: Confirmation that the issue is fixed

2013-06-19: Vendor releases v5.64 which includes the fix

2013-07-01: Coordinated Disclosure





8. REFERENCES

-------------

http://security.inshell.net

http://forums.winamp.com/showthread.php?t=364291
Voir sur GitHub