Re: Winamp 2.6x / 2.7x buffer overflow

[ByteRage <byterage () YAHOO COM>]

Winamp 2.74 doesnt seem to be affected by the bug
(although I thought it would be), only 2.60 -> 2.73
are affected, the AIP file format is some format
invented by AudioSoft to provide a legal way to get
MP3's from the net. AIP files or AudioSoft parameter
files seem to contain weakly encrypted authentication
information... The buffer overflow occurs right in the
decryption loop, there's no bounds checking there...
When in doubt try out the attached proof of concept
exploit (HACKME.AIP). I don't know whether they fixed
that divide by zero bug yet in v2.74
(CRASH-ZEROES.AIP). I also don't know if the AudioSoft
plugin is used by other music software.

greetz,
[ByteRage]
<byterage () yahoo com> http://elf.box.sk/byterage

--- Tom Laermans <tom.laermans () POWERSOURCE CX> wrote:
> Hi,
>
> > WINAMP 2.6x / 2.7x BUFFER OVERFLOW
> >
> > AFFECTED SYSTEMS
> > Winamp 2.73 (full)
> > [...]
> > DESCRIPTION
> >
> > Winamp has a buffer overflow condition when parsing
> > *.AIP files. (which are set to be automatically
> downloaded without
> > user intervention, just like the *.M3U / *.PLS
> files)
>
> Actually, my copy of WinAmp (v2.74) does absolutely
> nothing with .AIP
> files, nor are they listed anywhere in the "File
> Types" in the selection
> box. What are they supposed to do, anyway? (I've
> never heard of 'em before
> either)
>
> Tom
>
> -------------------------------------------------
> Web: http://www.powersource.cx --- ICQ#: 12120754
> Also check this out:  http://kickme.to/sidewinder
> Need some cheats?? http://www.chaos-cheatbase.com
> Keep Fido&BBS Alive!     http://skynetbbs.dyns.cx
> -------------------------------------------------


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Attachment: aip-files.zip
Description: aip-files.zip

Attachment: wabof3.c
Description: wabof3.c