Outpost24 Advisory - The Oddsock Playlist Generator v2.1 contains multiple buffer overflow vulnerabilities which result in a denial of service against the winamp/shoutcast service.
90c57c359b6bdbc11c79f220a2fbf14980057252f61933fa10f8406116cc4f9f
Outpost24 Advisory
www.outpost24.com
Advisory Name: Oddsock PlaylistGenerator Multiple BufferOverlow vulnerability
Release date: 15/07-02
Software : Song Requester Version : 2.1
Platform: Windows NT/XP/95/98/2000
Severity: DoS Vulnerability, that terminates Winamp, and restart
Author: Lucas Lundgren (ll@outpost24.com)
Vedor Status: No response
Summary:
Oddsock Playlist generator is used by Radio DJs to allow listeners to
choose a song to play from the Winamp Playlist.Song Requester Version
2.1 contains multiple buffer overflows, which will result in a DoS
attack against the Winamp/Shoutcast service.
The DJ will have to restart Winamp in order to make it work again. There
are two major kinds of DoS attacks against this software: the first will
display an error message, and inform the user that a logfile has been
created. The second attack closes down Winamp and restores the
playlist from the previous state, so that any newly added songs will not
be displayed in the playlist.It also restores the admin password to what
is was previously, if it has been changed without restarting Winamp.
Technical Details:
By parsing long names or characters to the CGI files in the Song
Requester, a DoS is avalible, closing down Winamp and / or leaving a
error log. You could try to parse
http://<musicserver>/request.cgi?listpos=9999999999999999999999999999
(9x256)
This will cause Winamp to crash, and makes Dr Watson dump a logfile.
If you parse:
http://<musicserver>/request.cgi?psearch=999999999999999999999999999999
(9x254)
Winamp will die without any error messages.
Oddsock overflows the playlist and crashes the Winamp player. If you
want to check it out, please look at Dr Watson logs for more details.
All the CGI files in Song Requester are vulnerable to DoS attacks, even
the 'admin.cgi'. Please note that the password you type in is in clear
text; no asterix signs replace the characters.
Outpost24
Contact: Lucas Lundgren (ll@outpost24.com)