AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption

2007.04.11
Credit: Piotr Bania
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption by Piotr Bania <bania.piotr@gmail.com> http://www.piotrbania.com Severity: Important - Potencial remote code execution. Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007 (on Windows XP SP1/SP2). Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND AOL Nullsoft is the most popular multimedia player in the world. in_mod.dll is a one of Winamp plugins. II. DESCRIPTION The problem takes place when Winamp is trying to play specially crafted .IT file. IT is the proprietary module format used by Impulse Tracker, featuring support for more advanced features than MOD or S3M before it. These include a larger limit for lines in a pattern, higher quality samples, and other effects. Take a look a this code snipet: ----// SNIP SNIP //------------------------------------------------- .text:00E97BCA write_looop: ; CODE XREF: sub_E97976+29Dj .text:00E97BCA mov edx, [ebp+6Ch+arg_0] .text:00E97BCD mov ecx, [ebx+18h] .text:00E97BD0 mov dx, [eax+edx*2] .text:00E97BD4 mov [eax+ecx*2], dx .text:00E97BD8 mov eax, [ebx+370h] .text:00E97BDE mov ecx, [ebx+18h] .text:00E97BE1 mov cx, [eax+ecx*2] .text:00E97BE5 cmp cx, [esi+6Eh] .text:00E97BE9 jnb short loc_E97C09 .text:00E97BEB mov al, [ebx+18h] .text:00E97BEE mov ecx, [ebp+6Ch+arg_0] .text:00E97BF1 mov [ecx+esi+148h], al ; BANG .text:00E97BF8 mov eax, [ebx+370h] .text:00E97BFE cmp word ptr [eax+ecx*2], 0FEh .text:00E97C04 jnb short loc_E97C09 .text:00E97C06 inc dword ptr [ebx+18h] .text:00E97C09 .text:00E97C09 loc_E97C09: ; CODE XREF: sub_E97976+273j .text:00E97C09 ; sub_E97976+28Ej .text:00E97C09 movzx ecx, word ptr [esi+68h] ; ecx=controlled value (from offset 0x20) .text:00E97C0D inc [ebp+6Ch+arg_0] .text:00E97C10 cmp [ebp+6Ch+arg_0], ecx .text:00E97C13 jb short write_looop ----// SNIP SNIP //------------------------------------------------- The memory is overwritten at 0x00E97BF1. The description of this disassembly listing is pretty similiar to the one written in s3m module files advisory. Due to my lazyness i will not repeat it again, whatsoever. III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running AOL Nullsoft Winamp. IV. VENDOR RESPONSE Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with no effect, i got finally bored and i haven't notified them at all. -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr (at) gmail (dot) com [email concealed]> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs."


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top