Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0252 -- NGSSoftware Insight Security Research Advisory Nullsoft Winamp 'in_mod.dll' Heap Overflow 06 April 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nullsoft Winamp 5.02 and prior Publisher: NGSSoftware Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- NGSSoftware Insight Security Research Advisory Name: Nullsoft Winamp 'in_mod.dll' Heap Overflow Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed) Severity: High Risk Vendor URL: http://www.winamp.com/ Author: Peter Winter-Smith [ peter@ngssoftware.com ] Date Vendor Notified: 20th Feb 2004 Date of Public Advisory: 5th April 2004 Advisory number: #NISR05042004 Advisory URL: http://www.ngssoftware.com/advisories/winampheap.txt Description *********** Winamp is one of the world's most popular pieces of software for playing digital media. It supports in excess of 30 file types and boasts a huge dedicated community backing it with almost 20,000 skins and over 461 additional components. To date CNET's download.com alone reports more than 31,000,000 downloads of Winamp versions 2.91 to 5.02. Details ******* Due to a lack of boundary checking within the code responsible for loading Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in 'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap memory and reliably cause an access violation within the ntdll.RtlAllocateHeap() function. When properly exploited this allows an attacker to write any value to a memory location of their choosing. In doing so, the attacker can gain control of winamp's flow of execution to run arbitrary code. This code will run in the security context of the logged on user. NGSS researchers have proven that code execution is possible and that the malicious media file can be activated remotely simply by rendering a specially crafted html document. It has also been discovered that the malicious file does not necessarily need to bear the extension '.xm'. This is due to the fact that 'in_mod.dll' will automatically determine which type of mod media file has been opened by performing certain tests on the file before attempting to load it. The testing is performed by passing the file through all the available loaders to see if one is able to handle it. As a result of this the malicious file can have the extension of any of the supported module file types associated with the loaders in 'in_mod.dll' and still produce the same effect. Fix Information *************** Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses the security issue discussed in this advisory. It can be obtained the official website: http://www.winamp.com/player/ To determine which version of Winamp you are currently using, load the player, right-click the main window and select the top-most menu item, 'Nullsoft Winamp...'. In the new window which loads make sure that the 'Winamp' tab is selected and look for the copyright information, underneath this should be the version information. If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or older, it is highly recommended that you update as soon as possible. If for some reason it is impossible to download the updated version of Winamp, the vendor has informed NGSS that it is possible to disable the handling of Fasttracker 2 module files by taking the following steps: 1. Right click the Winamp player, go to 'Options' and then to 'Preferences...'. 2. In the new window which loads, go to 'Plug-ins' and 'Input'. 3. Look for the input plug-in items 'Nullsoft Module Decoder' and double click it to bring up the 'Nullsoft Module Decoder Preferences' window. 4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to the right of the loaders list. 5. Close all of the option windows and return to the main player. About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQHH7wCh9+71yA2DNAQKfUwP/XqfF9J4984rr+hHzbHqCIec6mbVZU9zX /X3tiO8nz9GqIZ0HgLufHfZtMczRD43M634Nglo5elOOFxTyGkRz+4cdSd1ZhnYr FhqwvLMWFQr4CjzRLFdAjWvrb7MCBnC/c8PyFsVSOld+jbzj17zgfxbArfo/2VKA QNcJtxIRJuI= =wJTZ -----END PGP SIGNATURE-----