CVE-2005-3188
CVSS7.6
发布时间 :2005-12-31 00:00:00
修订时间 :2017-07-10 21:33:06
NMCOPS    

[原文]Buffer overflow in Nullsoft Winamp 5.094 allows remote attackers to execute arbitrary code via (1) an m3u file containing a long line ending in .wma or (2) a pls file containing a long File1 value ending in .wma, a different vulnerability than CVE-2006-0476.


[CNNVD]Winamp畸形m3u/pls文件字段值导致执行任意指令漏洞(CNNVD-200512-645)

        Winamp是一款流行的Windows媒体播放器,支持多种音频/视频文件格式。
        Winamp对播放列表文件处理存在缓冲区溢出漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。如果m3u或pls文件中包含了以.wma为后缀的目标文件名并且某个信息字段被赋给了畸形的值时,会导致Winamp崩溃,允许攻击者控制EAX寄存器执行任意指令。远程攻击者可以通过诱骗用户访问恶意的页面或链接来利用这个漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3188
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3188
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-645
(官方数据源) CNNVD

- 其它链接及资源

http://securityreason.com/securityalert/397
(UNKNOWN)  SREASON  397
http://securitytracker.com/id?1015565
(PATCH)  SECTRACK  1015565
http://securitytracker.com/id?1015621
(VENDOR_ADVISORY)  SECTRACK  1015621
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=378
(VENDOR_ADVISORY)  IDEFENSE  20060201 Winamp m3u/pls .WMA Extension Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/16462
(UNKNOWN)  BID  16462
https://exchange.xforce.ibmcloud.com/vulnerabilities/24417
(UNKNOWN)  XF  winamp-wma-ext-bo(24417)

- 漏洞信息

Winamp畸形m3u/pls文件字段值导致执行任意指令漏洞
高危 缓冲区溢出
2005-12-31 00:00:00 2007-02-27 00:00:00
远程  
        Winamp是一款流行的Windows媒体播放器,支持多种音频/视频文件格式。
        Winamp对播放列表文件处理存在缓冲区溢出漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。如果m3u或pls文件中包含了以.wma为后缀的目标文件名并且某个信息字段被赋给了畸形的值时,会导致Winamp崩溃,允许攻击者控制EAX寄存器执行任意指令。远程攻击者可以通过诱骗用户访问恶意的页面或链接来利用这个漏洞。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.winamp.com/player/

- 漏洞信息 (F43536)

iDEFENSE Security Advisory 2006-02-01.1 (PacketStormID:F43536)
2006-02-02 00:00:00
iDefense Labs,b0f  idefense.com
advisory
CVE-2005-3188
[点击下载]

iDefense Security Advisory 02.01.06 - It has been found that a specially crafted m3u or pls file with a target filename having the .wma extension can crash Winamp giving the attacker control over the EAX register. The vulnerability appears to have been silently fixed in Winamp 5.11.

Winamp m3u/pls .WMA Extension Buffer Overflow Vulnerability

iDefense Security Advisory 02.01.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=378
February 1, 2006

I. BACKGROUND

Winamp is a popular media player for Windows which supports many
audio/video file formats.

More information can be obtained from the vendors site at:

 http://winamp.com/player/

II. DESCRIPTION

It has been found that a specially crafted m3u or pls file with a
target filename having the .wma extension can crash Winamp giving the
attacker control over the EAX register.

Example m3U file format:

#EXTM3U
#EXTINF:,VULN
AAAA[...]AA.wma

Example pls file format:

[playlist]
numberofentries=5
File1=AAAA[...]AA.wma
Title1=
Length5=-1
Version=2

III. ANALYSIS

When Winamp is installed it registers the m3u and pls extensions so that
such files  will automatically open in Winamp. This exploit can be
triggered by clicking on a link in a web page, or through the use of
malicious javascript.

The crash occurs in the Winamp module with the following instructions:

mov edx, [eax]
call [edx+24]

The number of characters that can be inject is limited. With control
of the EAX register injected into the above code, meaningful
shellcode execution is possible.

IV. DETECTION

This vulnerability has been verified in version 5.094 of Winamp.

V. WORKAROUND

Removing the file mapping for m3u and pls files to Winamp should
mitigate the risk of exploitation.

VI. VENDOR RESPONSE

The vendor has not responded to communication regarding this
vulnerability.

The vulnerability appears to have been silently fixed in Winamp 5.11.
Version 5.13 is now available for download at:

  http://www.winamp.com/player/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3188 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005 Initial vendor notification
02/01/2006 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by b0f.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


    

- 漏洞信息

22975
Winamp m3u/pls .wma Parsing Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

A remote overflow exists in WinAmp. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted '*.m3u' and/or '*.pls' file and an ending filename having the '*.wma' extension, a remote attacker can cause arbitrary code execution or the application to crash resulting in a loss of integrity and/or availability.

- 时间线

2006-02-01 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Nullsoft Winamp Malformed Playlist File WMA Extention Remote Buffer Overflow Vulnerability
Boundary Condition Error 16462
Yes No
2006-02-01 12:00:00 2006-02-07 08:55:00
This issue was discovered by Alan Mccaig (b0f) <b0fnet@yahoo.com>.

- 受影响的程序版本

NullSoft Winamp 5.094
NullSoft Winamp 5.13

- 不受影响的程序版本

NullSoft Winamp 5.13

- 漏洞讨论

Winamp is susceptible to a buffer-overflow vulnerability when handling specially crafted playlist files.
An attacker may exploit this issue to gain unauthorized access to a computer with the privileges of the user that activated the vulnerable application.

Winamp version 5.094 is reported susceptible to this issue; other versions may also be affected.

This issue is similar to the one described in BID 16410 (Nullsoft Winamp Malformed Playlist File Handling Remote Buffer Overflow Vulnerability), but they likely exist in differing code paths in the application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

This issue has reportedly been silently fixed in version 5.13 of Winamp.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站