88 lines
No EOL
3.1 KiB
Text
88 lines
No EOL
3.1 KiB
Text
http://www.kryptoslogic.com/advisories/2010/kryptoslogic-winamp-midi.txt
|
|
|
|
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15706.c
|
|
|
|
==-===-=====-=======-===========-=============-=================
|
|
|
|
Winamp 5.6 Arbitrary Code Execution in MIDI Parser
|
|
|
|
Kryptos Logic, December 2010
|
|
|
|
==-===-=====-=======-===========-=============-=================
|
|
|
|
=====[ Timeline
|
|
|
|
Vendor Contacted...........: 2010-12-03
|
|
Proposed Fix from Vendor...: 2010-12-04
|
|
Advisory Published.........: 2010-12-07
|
|
|
|
|
|
=====[ Affected Versions
|
|
|
|
Vulnerable:
|
|
- Winamp 5.6
|
|
- Winamp 5.581
|
|
- Possibly older versions of Winamp
|
|
|
|
Not vulnerable:
|
|
- Winamp 5.601
|
|
- Winamp 5.601 Beta build 3087
|
|
|
|
|
|
=====[ Vulnerability
|
|
|
|
When Winamp plays MUS files and other MIDI variants, it begins
|
|
by converting them to a canonical format. Timestamps in MIDI
|
|
files are encoded by serializing 32 bit integers into 1, 2, 3, 4
|
|
or 5 bytes, storing 7 data bits in each byte. The last bit is
|
|
used to indicate whether or not a given byte is the last. The
|
|
serialization is done into an 8 byte buffer, which should be
|
|
large enough, but there is a logic bug in the code which allows
|
|
an attacker to write one byte outside of the buffer.
|
|
|
|
The serialization is done by shifting the input value multiples
|
|
of seven bits, until there is no more bits set. This is done
|
|
using the x86 instruction SAR. Unfortunately this instruction
|
|
does not clear the register when shifting more than the register
|
|
width, but instead shifts the requested amount modulo the
|
|
register width. By crafting an input file so that Winamp tries
|
|
to serialize a value which has the most significant bit cleared
|
|
and one of the following three bits set, an attacker can force
|
|
the program to write the value shifted 0, 7, 14, 21, 28, 3, 10,
|
|
17 and 24 bits; a total of nine output bytes. The least
|
|
significant value overflows into the saved base pointer.
|
|
|
|
|
|
=====[ Exploitation
|
|
|
|
The stack alignment of Winamp is predictable. An attacker can
|
|
choose the value to write into the saved base pointer, so that
|
|
when the base pointer is restored, the stack frame of the
|
|
calling function is moved to a location where the attacker
|
|
controls the return address.
|
|
|
|
The value must be chosen so that the calling function will not
|
|
access invalid memory addresses by using local variables in the
|
|
modified stack frame. Carefully chosen values have proved to
|
|
lead to code execution without causing any faults.
|
|
|
|
|
|
=====[ Credits
|
|
|
|
The bug was discovered by Peter Wilhelmsen, Kryptos Logic, and
|
|
an exploit was developed by Morten Shearman Kirkegaard, Kryptos
|
|
Logic.
|
|
|
|
|
|
=====[ About Kryptos Logic
|
|
|
|
Kryptos Logic is a group of talented computer security experts
|
|
from around the globe that has coalesced into a highly effective
|
|
team. New ideas and derivatives of existing products are
|
|
constantly created. We provide a wide range of security products
|
|
ranging from binary analysis tools and security research kits to
|
|
anti-piracy and digital rights management software. We also
|
|
perform state-of-the-art research on emergent attack vectors and
|
|
threats to current digital infrastructure.
|
|
|
|
http://www.kryptoslogic.com/ |