####################################################################### Luigi Auriemma Application: Winamp http://www.winamp.com Versions: <= 5.61 Platforms: Windows Bugs: A] vp6 heap corruption B] h263 heap corruption C] nsvdec_vp5 frame heap overflow D] nsvdec_vp6 frame integer overflow E] nsvdec_vp3 frame heap overflow F] in_mod heap corruption Date: 27 Jun 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Winamp is one of the most diffused and appreciated media players for Windows. ####################################################################### ======= 2) Bugs ======= ---------------------- A] vp6 heap corruption ---------------------- The function 08607170 of vp6.w5s (base address 08600000) is used for the FLV files encoded with the On2 TrueMotion VP6 codec and its job is reading the big endian bitfields 1, 6, 1, 5 and 2 (http://wiki.multimedia.cx/index.php?title=On2_VP6) and then initialize and allocating the memory and the other stuff needed for decoding the frames. If the 4th field ("version") is below/equal than 8 then it allocates the needed memory otherwise it returns a NULL which is correctly handled by the caller function that sets even a result value to -1 but it's completely ignored by the rest of the code: 086071BE |. 6A 05 PUSH 5 086071C0 |. 55 PUSH EBP 086071C1 |. E8 1AFFFFFF CALL vp6.086070E0 ; readbits 5 086071C6 |. 6A 02 PUSH 2 086071C8 |. 55 PUSH EBP 086071C9 |. 8886 24030000 MOV BYTE PTR DS:[ESI+324],AL ; bad values from 9 to 31 086071CF |. E8 0CFFFFFF CALL vp6.086070E0 ; readbits 2 086071D4 |. 8886 25030000 MOV BYTE PTR DS:[ESI+325],AL 086071DA |. 8A86 24030000 MOV AL,BYTE PTR DS:[ESI+324] 086071E0 |. 83C4 10 ADD ESP,10 086071E3 |. 3C 08 CMP AL,8 086071E5 |. 76 08 JBE SHORT vp6.086071EF ; initialization 086071E7 |. 5F POP EDI 086071E8 |. 33C0 XOR EAX,EAX ; quit 086071EA |. 5D POP EBP 086071EB |. 83C4 18 ADD ESP,18 086071EE |. C3 RETN So if that 4th field is greater than 8 it's possible to cause a heap corruption and exploit the consequent write4 or controlloing the registers with the data of the decoded frame. ----------------------- B] h263 heap corruption ----------------------- The problem is located in the inizialization of the frame for the h263 codec in FLV files (H263VIDEOPACKET) during the handling of the CustomWidth and CustomHeight fields that will corrupt the data after the allocated heap memory. Exploitation may be possible but not so easily. --------------------------------- C] nsvdec_vp5 frame heap overflow --------------------------------- Classical heap overflow in nsvdec_vp5.dll caused by the setting of a too small screen height with the consequent overflow during the decompression of the frames. ------------------------------------ D] nsvdec_vp6 frame integer overflow ------------------------------------ Integer overflow caused by a multiplication that takes both the screen width and height and uses them as signed 16bit values too. --------------------------------- E] nsvdec_vp3 frame heap overflow --------------------------------- Classical heap overflow in nsvdec_vp3.dll caused by the setting of a too small screen width and height with the consequent overflow during the decompression of the frames. Note that in vp3 exists also an integer overflow like bug D but it's not exploitable due to the memset with byte 0xff. ------------------------- F] in_mod heap corruption ------------------------- Heap corruption that causes problems during the freeing and reuse of the memory through a modified number of samples in IT files. No additional research has been performed. Exploitation happens when the memory get freed so when the same or another file is played or during the closing of Winamp. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/winamp_2.zip Note the the provided proof-of-concept samples are just the original files with some bytes modified, they have NOT been built from scratch and are NOT optimized to demonstrate the classical possibility of code execution (like registers set to 0x41414141 and so on). A] 00000246 46 FE B] 0000019A 80 FF 0000019B A0 FF 0000019C 00 FF 0000019D 86 FF 0000019E 11 91 C] 0000000E 80 01 C_] 0000001C 09 00 0000001D 08 00 D] 0000000C 80 FF 0000000D 02 FF 0000000E E0 01 0000000F 01 00 E] 0000000C 60 01 0000000D 01 00 0000000E F0 01 F] 00000024 17 09 ####################################################################### ====== 4) Fix ====== No fix. UPDATE 30 Jun 2011: bugs A, D, E and F "seem" to have been fixed in version 5.62. #######################################################################