Information Assurance
|
Dave Schachner
|
Information Assurance
Bugtraq Analysis
|
* What
the problem is:
Due to vulnerabilities in several of the dynamically linked libraries
(.DLL), specifically LIBSNDFILE.DLL and IN_MOD.DLL, there is the potential of
remote code execution in Nullsoft’s Winamp media player. This can be accomplished through the
use of either specially crafted .S3M, .IT or .MAT files.
+ MATLAB SOUND FILE - a numerical computing environment and programming language + Impulse Tracker
- multi-track digital sound tracker
+ ScreamTracker 3 PC music tracker - multi-track digital sound tracker
Since the attacker controls the file and therefore the memory entries
that will be loaded into the stack when opened, by manipulating the register
values he or she can take control of the stack, execute code remotely and
even control how many times the write loop iterates, which can cause memory
corruption. The exploitation is difficult, because the available memory
locations are limited due to the context of the program and how the stack is
set up. (“The final address that we can compute from our MY_DWORD value, must
be lower then 0x10CFB58. That surely makes the exploitation harder since we
are limited to the memory lower then 0x10CFB58.”) * What
could have prevented it: ·
Bounds/Error checking the file when loading
* What
can be done to work around it: ·
Avoid playing unknown files from unknown sources ·
Use other media players, such as VLC, iTunes, WM, etc * What
can be done to prevent it from occurring in the future:
Piotr Bania, who discovered the exploits, had apparently been
unsuccessfully trying to contact AOL Nullsoft, the creators of Winamp, to
inform them of their software flaws.
AOL Nullsoft could release a patch that would fix the vulnerability in
the dynamically linked libraries that allow remote memory corruption. As of writing this, no patch has been
released by the company to fix their software. |
|
|
|