Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Outpost24 Advisory: Oddsock PlaylistGenerator Multiple BufferOverlow vulnerability

From: Lucas Lundgren <ll () outpost24 com>
Date: 16 Jul 2002 10:31:23 -0000


Outpost24 Advisory
                                                      
         www.outpost24.com


Advisory Name: Oddsock PlaylistGenerator Multiple
BufferOverlow vulnerability
Release date: 15/07-02
Software : Song Requester Version : 2.1
Platform: Windows NT/XP/95/98/2000
Severity: DoS Vulnerability, that terminates Winamp,
and restart

Author: Lucas Lundgren (ll () outpost24 com)
Reference: http://www.outpost24.com/news/
Vedor Status:  No response


Summary:

Oddsock Playlist generator is used by Radio DJs to
allow listeners to choose a song to play from the
Winamp Playlist.Song Requester Version
2.1 contains multiple buffer overflows, which will
result in a DoS attack against the Winamp/Shoutcast
service. The DJ will have to restart Winamp in order to
make it work again. 

There are two major kinds of DoS attacks against this
software: the first will display an error message, and
inform the user that a logfile has been created.  The
second  attack closes down Winamp and restores the
playlist from the previous state, so that any newly
added songs will not be displayed in the playlist.It
also restores the admin password to what
is was previously, if it has been changed without
restarting Winamp.

Technical Details:

By parsing long names or characters to the CGI files in
the Song Requester, a DoS is avalible, closing down
Winamp and / or leaving  a error log.  You could try to
parse

http://<musicserver>/request.cgi?listpos=9999999999999999999999999999
(9x256)

This will cause Winamp to crash, and makes Dr Watson
dump a logfile.

But if you parse: 
 http://<musicserver>/request.cgi?psearch=999999999999999999999999999999
(9x254) 

Winamp will die without any error messages.

Oddsock overflows the playlist and crashes the Winamp
player. If you want to check it out, please look at Dr
Watson  logs for more details. All the CGI files in
Song Requester are vulnerable to DoS attacks, even
the 'admin.cgi'. Please note that the password you type
in is in clear text; no asterix signs replace the
characters.

Outpost24
Contact: Lucas Lundgren (ll () outpost24 com)
Previous By Date Next
Previous By Thread Next

Current thread: