Winamp S3M模块IN_MOD.DLL远程堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191061 漏洞类型 输入验证
发布时间 2007-04-10 更新时间 2007-09-05
CVE编号 CVE-2007-1922 CNNVD-ID CNNVD-200704-150
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-150
|漏洞详情
Winamp是一款流行的媒体播放器,支持多种文件格式。Winamp在试图播放特制的.S3M文件时存在堆溢出漏洞。远程攻击者利用该漏洞执行任意代码。
|漏洞EXP
AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption
	by Piotr Bania <bania.piotr@gmail.com>
	http://www.piotrbania.com


	Severity: 		Important - Potencial remote code execution.

	Software affected: 	Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
				(on Windows XP SP1/SP2).


	Orginal url:		http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt




	0.   DISCLAIMER

	Author takes no responsibility for any actions with provided informations or 
	codes. The copyright for any material created by the author is reserved. Any 
	duplication of codes or texts provided here in electronic or printed 
	publications is not permitted without the author's agreement. 
	

	I.  BACKGROUND


	AOL Nullsoft is the most popular multimedia player in the world.
	in_mod.dll is a one of Winamp plugins.


	II. DESCRIPTION


	The problem takes place when Winamp is trying to play specially
	crafted .IT file.

	IT is the proprietary module format used by Impulse Tracker, featuring 
	support for more advanced features than MOD or S3M before it. These include 
	a larger limit for lines in a pattern, higher quality samples, and other 
	effects.


	Take a look a this code snipet:

	----// SNIP SNIP //-------------------------------------------------	
	.text:00E97BCA write_looop:                            ; CODE XREF: sub_E97976+29Dj
	.text:00E97BCA                 mov     edx, [ebp+6Ch+arg_0]
	.text:00E97BCD                 mov     ecx, [ebx+18h]
	.text:00E97BD0                 mov     dx, [eax+edx*2]
	.text:00E97BD4                 mov     [eax+ecx*2], dx
	.text:00E97BD8                 mov     eax, [ebx+370h]
	.text:00E97BDE                 mov     ecx, [ebx+18h]
	.text:00E97BE1                 mov     cx, [eax+ecx*2]
	.text:00E97BE5                 cmp     cx, [esi+6Eh]
	.text:00E97BE9                 jnb     short loc_E97C09
	.text:00E97BEB                 mov     al, [ebx+18h]
	.text:00E97BEE                 mov     ecx, [ebp+6Ch+arg_0]
	.text:00E97BF1                 mov     [ecx+esi+148h], al     ; BANG 
	.text:00E97BF8                 mov     eax, [ebx+370h]
	.text:00E97BFE                 cmp     word ptr [eax+ecx*2], 0FEh
	.text:00E97C04                 jnb     short loc_E97C09
	.text:00E97C06                 inc     dword ptr [ebx+18h]
	.text:00E97C09
	.text:00E97C09 loc_E97C09:                             ; CODE XREF: sub_E97976+273j
	.text:00E97C09                                         ; sub_E97976+28Ej
	.text:00E97C09                 movzx   ecx, word ptr [esi+68h] ; ecx=controlled value (from offset 0x20)
	.text:00E97C0D                 inc     [ebp+6Ch+arg_0]
	.text:00E97C10                 cmp     [ebp+6Ch+arg_0], ecx
	.text:00E97C13                 jb      short write_looop
	----// SNIP SNIP //-------------------------------------------------	
	

	The memory is overwritten at 0x00E97BF1. The description of this disassembly
	listing is pretty similiar to the one written in s3m module files advisory.
	Due to my lazyness i will not repeat it again, whatsoever.


	
	III. IMPACT

	Successful exploitation may allow the attacker to run arbitrary code in 
	context of user running AOL Nullsoft Winamp.


	IV. VENDOR RESPONSE

	Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
	no effect, i got finally bored and i haven't notified them at all. 


-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr (at) gmail (dot) com [email concealed]> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

- "The more I learn about men, the more I love dogs."
|参考资料

来源:MISC
链接:http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt
来源:XF
名称:winamp-inmod-code-execution(33480)
链接:http://xforce.iss.net/xforce/xfdb/33480
来源:SECTRACK
名称:1017886
链接:http://www.securitytracker.com/id?1017886
来源:BID
名称:23350
链接:http://www.securityfocus.com/bid/23350
来源:BUGTRAQ
名称:20070406AOLNullsoftWinampITModule""IN_MOD.DLL""RemoteHeapMemoryCorruption
链接:http://www.securityfocus.com/archive/1/archive/1/464893/100/0/threaded
来源:BUGTRAQ
名称:20070406AOLNullsoftWinampS3MModule""IN_MOD.DLL""RemoteHeapMemoryCorruption
链接:http://www.securityfocus.com/archive/1/archive/1/464890/100/0/threaded
来源:MISC
链接:http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt
来源:VUPEN
名称:ADV-2007-1286
链接:http://www.frsirt.com/english/advisories/2007/1286
来源:OSVDB
名称:34431
链接:http://osvdb.org/34431
来源:OSVDB
名称:34430
链接:http://osvdb.org/34430
来源:MLIST
名称:[dailydave]20070406AOLNullsoftWinampS3MModule""IN_MOD.DLL""RemoteHeapMemoryCorruption
链接:http://marc.info/?l