####################################################################### Luigi Auriemma Application: Winamp http://www.winamp.com and http://classic.winamp.com Versions: Winamp 2.91 using IN_MIDI.DLL 3.01 (Winamp 3 crashes but I have not found methods to execute code) Platforms: Windows Bugs: Code execution through malformed MIDI files Risk: medium/high (exploitation has some limits) Author: Luigi Auriemma e-mail: aluigi@pivx.com web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Winamp is probably the most famous media player for Win32 systems. It supports a great amount of media formats moreover because a lot of users write plugins for this really cool program. A funny anecdote about the bug I have found is that I found it almost 9 months ago (beginning of January 2003) but I thought it was nothing of interesting and I forgot it on my hard-disk for a lot of time... ####################################################################### ====== 2) Bug ====== Winamp 2.91 uses a default plugin called IN_MIDI.DLL used to play MIDI files. The versions prior and equal to the 3.01 of this plugin let an attacker to execute code on a victim simply setting the "Track data size" value of a MIDI file to 0xffffffff. Example: 4 bytes MIDI Header "MThd" 4 bytes Header data size 00000006 2 bytes Format 0000 2 bytes Number of tracks 0001 2 bytes Divisions 0001 4 bytes Track Header "MTrk" 4 bytes Track data size ffffffff <--- bug ... "aaaaaaaaaaaaaaaaaaaaa..." <--- fun An important thing (and also the only limit for the attacker) is that doesn't exist only one method to exploit this vulnerability because the effects change about how the user opens the file and what MIDI device he use: drag'n'drop, normal file opening, midiOut and DirectMusic. Then another note is that the code execution doesn't happen ever in the same moment that the file is opened or played, in fact it can happen after the second exception or when you close Winamp (also these effects depend by the 4 options before). Winamp3 seems partially vulnerable but I have not found a method to overwrite the return address or to pass my custom address to the instructions flow. ####################################################################### =========== 3) The Code =========== No exploit. ####################################################################### ====== 4) Fix ====== Nullsoft has been contacted a lot of time for over one month but nobody has given me an answer or has patched the MIDI plugin. However the effects of the bug limit the exploitation so if you use Winamp, simply play MIDI files with another player until a patch will be released. #######################################################################