About two months ago, we found a vulnerability in the Winamp 5.55 MAKI script parsing module. We reported our findings to AOL. AOL then released Winamp version 5.552 with the fix. Here are the details:
Winamp MAKI Parsing Integer Overflow Vulnerability
Winamp 5.55 and prior versions that support Modern Skins.
A vulnerability exists in Winamp. The vulnerability is due to an incorrect type cast while parsing a .maki file (a compiled script file), causing a buffer overflow. An attacker could provide a user with a modern skin (via a webpage download for example) that uses the maki script to execute arbitrary code within the context of the current user.
Winamp’s modern skins scripting engine reads strings from the .maki file. The format of these strings is composed as follows (multi-byte values are in little endian byte order):
Offset Size Description--------- ------ --------------------------------------0x0000 4 Unknown (it seems to be a type code)0x0004 2 Length (Y)0x0006 Y Function name
gen_ff.dll parses a .maki file, it reads two bytes and does a sign extension, which results in a stack buffer overflow.
The following shows the local buffer size (0x10008):
.text:12094DAB var_10144= byte ptr -10144h.text:12094DAB MultiByteStr= byte ptr -13ch
If a string size is greater than or equal to
0x8000, edi will be
0xhhhh is the two byte input)
.text:12094F62 loc_12094F62:.text:12094F62 mov ax, [ebx].text:12094F65 movsx edi, ax ; sign extension.text:12094F68 inc ebx.text:12094F69 push edi ; Size.text:12094F6A inc ebx.text:12094F6B lea eax, [ebp+MultiByteStr].text:12094F71 push ebx ; Src.text:12094F72 push eax ; Dst, buffer is located in the stack.text:12094F73 call memmove.text:120951E5 loc_120951E5:.text:120951E5 mov edi, [ebx].text:120951E7 add ebx, 4.text:120951EA mov ax, [ebx].text:120951ED movsx esi, ax ; sign extension.text:120951F0 inc ebx.text:120951F1 push esi ; Size.text:120951F2 inc ebx.text:120951F3 lea eax, [ebp+var_10144].text:120951F9 push ebx ; Src.text:120951FA push eax ; Dst, buffer is located in the stack.text:120951FB call memmove
I used the Bento skin’s maki file. The highlighted text in the following figure shows the two byte size (value is
0x0011) and the following 17 characters. I changed the size to
0xFFFF and inserted a lot of
0x41 (obviously more than
0xFFFF). Then BANG! EIP was overwitten with
Sourcefire released detection for this issue (gid:3 sid:15433) on 2009-03-31
Vendor released Winamp 5.552 on 2009-04-11
This issue now has a Bugtraq entry, available here: http://www.securityfocus.com/bid/35052