Bugtraq mailing list archives
Winamp M3U playlist parser buffer overflow security vulnerability
From: pauli_ojanpera () HOTMAIL COM (Pauli Ojanpera)
Date: Thu Jul 20 17:21:26 2000
LEGAL NOTICE: By reading this you do agree that life does not make sense and it doesn't need to. You also agree to wear a condom. You do agree to think about nature. .. umm you also agree to GPL all software you've ever written. [Click here if you're under 18] There is a buffer overflow security vulnerability in Winamp's (http://www.winamp.com) M3U playlist parser. The overflow happens when an M3U extension called "#EXTINF:" is being handled. The size of the parameter following that keyword is not checked. Real world example: --cut-here-and-paste-to-a-file-with-m3u-extension-- #EXTM3U #EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf> --cut here-- There should be at least 280 A's. The overflow allows total control over ones computer. For example one could embedd an M3U file to a web page several ways: - <A HREF="ATTACK.M3U"> - <BGSOUND SRC="ATTACK.M3U"> - <EMBED SRC="ATTACK.M3U"> I have tested the first one but I have Media Player installed on this computer and my browser uses its components for the latter two so I cannot confirm.. The only problem is some structure (FILE *?) after the buffer because it has a zero in it and it must not be crafted to successfully return from the function. I had to apply some trial and error to get code executed. Currently the code crafts Winamp's MOD file format support until restarted (I presume so.. :-). The attached .M3U file should crash Winamp at 0000:41414141. I've tested it with Windows 98 and Windows 95 with Winamp versions 2.62 and 2.64. Thank you.. I might not be available too frequently to answer your mail.. Have a nice life. Bye. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com <HR NOSHADE> <UL> <LI>text/plain attachment: ATTACK.M3U </UL>
Current thread:
- Winamp M3U playlist parser buffer overflow security vulnerability Pauli Ojanpera (Jul 20)
- <Possible follow-ups>
- Re: Winamp M3U playlist parser buffer overflow security vulnerability Andre_Fassbender () MN MAN DE (Jul 20)