[Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll [ Patch Released ]
Quick update on the winamp issue. A new version 5.07 has been released and includes a fix for the buffer overflow in the IN_CDDA.dll module. Change Log http://www.winamp.com/player/version_history.php New Release http://www.winamp.com/player/ Regards Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com ## CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ## ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
Version 2.91 is not vulnerable, does not include crappy CPU consuming useless features and plays mp3's like any other version. Cheers, SkyLined - Original Message - From: Brett Moore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Netsys. Com [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 04:05 Subject: [Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] = Winamp - Buffer Overflow In IN_CDDA.dll = = Affected Software: = Winamp 5.05, 5.06 = = Public disclosure on November 24, 2004 == Overview == Hate to be the bearer of bad news. It appears that the 'patched' version 5.05 does NOT fix the buffer overflow issue that we notified Nullsoft about. This is obviously not good. As we wrote in our advisory we were notified by email that the issue had been fixed and an update posted to the website. We have sent Nullsoft a copy of this email, and hope that they can remedy this problem quickly. Unfortunately, this may not be the case as was pointed out to me by somebody. == Solutions == - Disassociate .cda and .m3u extensions from winamp - Wait for an update Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com ## CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ## ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll
= Winamp - Buffer Overflow In IN_CDDA.dll = = Vendor Update: = http://www.winamp.com/player/ = = Affected Software: = Winamp 5.05 (only version tested) = = Public disclosure on November 23, 2004 == Overview == In this time of responsible vulnerability disclosure, it's a little disturbing when a vendor acts on disclosed information but gives no recognition or even notification that an update has been created due to the information passed to them. This advisory is a little late, the update was posted to the vendor website last week. The only reason I know this, is because I asked and received a response. hi brett the problem was fixed in the lastest [sic] release of winamp. version 5.06 went live on the site last thurday [sic]. thanks jonathan ward But enough of that, we know the game and still choose to play. We discovered a remotely exploitable stack based buffer overflow in winamp version 5.05. It is possible that earlier versions are also vulnerable and we recommend all users to upgrade to the latest version. The overflow can be caused in various ways, the most dangerous though is through a malformed .m3u playlist file. When hosted on a web site, these files will automatically downloaded and open in winamp without any user interaction. This is enough to cause the overflow that would allow a malicious playlist to overwrite EIP and execute arbitrary code. == Exploitation == When winamp opens the malformed playlist file, a first exception will occur: First Chance Exception in winamp.exe (IN_CDDA.DLL) : Access Violation At this location 00A49BE8 88 4C 04 30 mov byte ptr [esp+eax+30h],cl This exception will be handled by winamp, and execution will then continue until it reaches the second exception at this location 61616161 ??? with the registers looking like; EAX = 0012A5D8 EBX = 0012C024 ECX = 61616161 EDX = 77F96DAE ESI = 0012A600 EDI = 0046B9E0 EIP = 61616161 ESP = 0012A540 EBP = 0012A560 EFL = 00210246 As can be seen, EIP has been overwritten with a value supplied through the malformed playlist file, 0x61616161 () and since more playlist supplied data is located at the address pointed to by EDI, execution of malicious code is possible. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Nullsoft October 14, 2004 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. ## CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ## ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
= Winamp - Buffer Overflow In IN_CDDA.dll = = Affected Software: = Winamp 5.05, 5.06 = = Public disclosure on November 24, 2004 == Overview == Hate to be the bearer of bad news. It appears that the 'patched' version 5.05 does NOT fix the buffer overflow issue that we notified Nullsoft about. This is obviously not good. As we wrote in our advisory we were notified by email that the issue had been fixed and an update posted to the website. We have sent Nullsoft a copy of this email, and hope that they can remedy this problem quickly. Unfortunately, this may not be the case as was pointed out to me by somebody. == Solutions == - Disassociate .cda and .m3u extensions from winamp - Wait for an update Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com ## CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ## ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
