hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
BeNiNuK
Apr 6 2004, 09:55 AM
Winamp users have been advised to update their Winamp to the latest version after a critical hole was found in the software. It allows a .xm file to cause a heap overflow which can allow a malicious hacker to run code on a victims machine.
Winamp has been downloaded millions of times and is installed on potentially millions of systems worldwide. It also supports more than 30 formats and has hundreds of plug-ins.
The main fear is that a victim may download an altered media file from a P2P network that may run malicious code on their system. The quick fix is to simply update your Winamp version to v5.03

Source : ShortNews

Any more info from any 1?
Black_hat
Apr 6 2004, 10:29 AM
QUOTE

NGSSoftware Insight Security Research Advisory - Nullsoft Winamp 'in_mod.dll' Heap Overflow
 
04/05/2004

NGSSoftware Insight Security Research Advisory
Name: Nullsoft Winamp 'in_mod.dll' Heap Overflow

Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Severity: High Risk

Vendor URL: http://www.winamp.com/

Author: Peter Winter-Smith [ peter@ngssoftware.com ]

Date Vendor Notified: 20th Feb 2004

Date of Public Advisory: 5th April 2004

Advisory number: #NISR05042004

Advisory URL: http://www.ngssoftware.com/advisories/winampheap.txt

Description

***********

Winamp is one of the world's most popular pieces of software for playing digital media. It supports in excess of 30 file types and boasts a huge dedicated community backing it with almost 20,000 skins and over 461 additional components. To date CNET's download.com alone reports more than 31,000,000 downloads of Winamp versions 2.91 to 5.02.

Details

*******

Due to a lack of boundary checking within the code responsible for loading Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in 'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap memory and reliably cause an access violation within the ntdll.RtlAllocateHeap() function. When properly exploited this allows an attacker to write any value to a memory location of their choosing. In doing so, the attacker can gain control of winamp's flow of execution to run arbitrary code. This code will run in the security context of the logged on user.

NGSS researchers have proven that code execution is possible and that the malicious media file can be activated remotely simply by rendering a specially crafted html document.

It has also been discovered that the malicious file does not necessarily need to bear the extension '.xm'. This is due to the fact that 'in_mod.dll' will automatically determine which type of mod media file has been opened by performing certain tests on the file before attempting to load it. The testing is performed by passing the file through all the available loaders to see if one is able to handle it.

As a result of this the malicious file can have the extension of any of the supported module file types associated with the loaders in 'in_mod.dll' and still produce the same effect.

Fix Information

***************

Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses the security issue discussed in this advisory. It can be obtained the official website:

http://www.winamp.com/player/

To determine which version of Winamp you are currently using, load the player, right-click the main window and select the top-most menu item, 'Nullsoft Winamp...'.

In the new window which loads make sure that the 'Winamp' tab is selected and look for the copyright information, underneath this should be the version information.

If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or older, it is highly recommended that you update as soon as possible.

If for some reason it is impossible to download the updated version of Winamp, the vendor has informed NGSS that it is possible to disable the handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to 'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to the right of the loaders list.

5. Close all of the option windows and return to the main player.

About NGSSoftware

*****************

NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070

Fax +44 208 401 0076

enquiries@ngssoftware.com

http://www.nextgenss.com/advisories/winampheap.txt


Black_HAT ph34r.gif
ivan288
Apr 6 2004, 12:03 PM
damn sounds very nice. plenty of targets out there wink.gif
x1`
Apr 6 2004, 12:41 PM
what port is winamp btw
shaun2k2
Apr 6 2004, 01:06 PM
QUOTE

what port is winamp btw

Did you read the advisory? Winamp doesn't have a port...This is exploited by crafting a malicious media file.


-Shaun.
JeiAr
Apr 6 2004, 05:30 PM
A mod may want to change the topic

QUOTE

Nullsoft Winamp 'in_mod.dll' Heap Overflow


And that port question was pretty damn funny ph34r.gif
BeNiNuK
Apr 6 2004, 09:35 PM
lol yeah i will see if i can get ahold of one of these files and post for every 1 to have a look at
shaun2k2
Apr 7 2004, 07:53 AM
The issue was discovered by one of our members, who works at NGSSoftware - they have the proof-of-concept, and they definately don't intend to release it. Therefore, how do you intend to get hold of it? Forget it smile.gif


-Shaun.
Black_hat
Apr 8 2004, 06:47 PM
to : shaun2k2

Hello
it is not important that who dose work at NGSSoftware wink.gif . well , this news don't publish for pepole but we are here to share our information with each other .

Tanx
ph34r.gif
Black_Hat
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.