WinAMP--Buffer Overflow Vulnerability

[Mobo]

Description
============

WinAMP implements various functionalities through different plug-ins that are stored in "plugins" sub-directory of WinAMP installation directory. For example, in_mp3.dll is used to play MP3 files and in_cdda.dll is used to play CD.

The in_cdda.dll of WinAMP supports play path requests in the following format:

1. <Driver\><PathName\>[FileName].cda
2. linein://
3. cda://
4. cda://<Driver>
5. cda://<Driver>,<TrackNumber>

Brett Moore of Security-Assessment.com discovered a stack overflow when in_cdda.dll handles the first path. WinAMP released version 5.07 to fix that vulnerability.

Actually, in_cdda.dll will still cause an overflow when handling 4th and 5th path above. Stack overflow will be triggered only by adding an over-long device name or sound track number behind "cda://".

Any method that can pass a play path to WinAMP can be used to trigger this vulnerability, for example, command line.

One possible remote attacking vector is to construct a playlist file in m3u or pls format with an over-long path embedded in HTML. Once a user visits such a malicious page, it will execute the code of attacker's choice.

Workaround
=============

NSFOCUS suggests to remove in_cdda.dll from Plugins of WinAMP.

Vendor Status
==============

2004.11.24 Informed the vendor support@winamp.com, no response
2004.12.06 Tests proved winamp 5.07 is affected, informed the vendor again
2004.12.07 The vendor confirmed the vulnerability
2004.12.25 Tests proved winamp 5.08 is affected, informed the vendor
2005.01.10 The vendor released winamp 5.08c to fix the vulnerability

The vendor has released winamp 5.08c to fix this vulnerability. The latest version is available at http://www.winamp.com/player/