Winamp 5.6 Arbitrary Code Execution in MIDI Parser

2010-12-08 09:15:38

http://www.kryptoslogic.com/advisories/2010/kryptoslogic-winamp-midi.txt

PoC: https://www.exploit-db.com/sploits/15706.c

==-===-=====-=======-===========-=============-=================

Winamp 5.6 Arbitrary Code Execution in MIDI Parser

Kryptos Logic, December 2010

==-===-=====-=======-===========-=============-=================

=====[ Timeline

Vendor Contacted...........: 2010-12-03
Proposed Fix from Vendor...: 2010-12-04
Advisory Published.........: 2010-12-07


=====[ Affected Versions

Vulnerable:
- Winamp 5.6
- Winamp 5.581
- Possibly older versions of Winamp

Not vulnerable:
- Winamp 5.601
- Winamp 5.601 Beta build 3087


=====[ Vulnerability

When Winamp plays MUS files and other MIDI variants, it begins
by converting them to a canonical format. Timestamps in MIDI
files are encoded by serializing 32 bit integers into 1, 2, 3, 4
or 5 bytes, storing 7 data bits in each byte. The last bit is
used to indicate whether or not a given byte is the last. The
serialization is done into an 8 byte buffer, which should be
large enough, but there is a logic bug in the code which allows
an attacker to write one byte outside of the buffer.

The serialization is done by shifting the input value multiples
of seven bits, until there is no more bits set. This is done
using the x86 instruction SAR. Unfortunately this instruction
does not clear the register when shifting more than the register
width, but instead shifts the requested amount modulo the
register width. By crafting an input file so that Winamp tries
to serialize a value which has the most significant bit cleared
and one of the following three bits set, an attacker can force
the program to write the value shifted 0, 7, 14, 21, 28, 3, 10,
17 and 24 bits; a total of nine output bytes. The least
significant value overflows into the saved base pointer.


=====[ Exploitation

The stack alignment of Winamp is predictable. An attacker can
choose the value to write into the saved base pointer, so that
when the base pointer is restored, the stack frame of the
calling function is moved to a location where the attacker
controls the return address.

The value must be chosen so that the calling function will not
access invalid memory addresses by using local variables in the
modified stack frame. Carefully chosen values have proved to
lead to code execution without causing any faults.


=====[ Credits

The bug was discovered by Peter Wilhelmsen, Kryptos Logic, and
an exploit was developed by Morten Shearman Kirkegaard, Kryptos
Logic.


=====[ About Kryptos Logic

Kryptos Logic is a group of talented computer security experts
from around the globe that has coalesced into a highly effective
team. New ideas and derivatives of existing products are
constantly created. We provide a wide range of security products
ranging from binary analysis tools and security research kits to
anti-piracy and digital rights management software. We also
perform state-of-the-art research on emergent attack vectors and
threats to current digital infrastructure.

http://www.kryptoslogic.com/

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.