Christopher Posted April 5, 2004 Report Share Posted April 5, 2004 Please upgrade to Winamp 5.0.3. Due to a lack of boundary checking within the code responsible for loading Fasttracker 2 ('.xm') mod media files by the Winamp media plug-in 'in_mod.dll', it is possible to make Winamp overwrite arbitrary heap memory and reliably cause an access violation within the ntdll.RtlAllocateHeap() function. When properly exploited this allows an attacker to write any value to a memory location of their choosing. In doing so, the attacker can gain control of winamp's flow of execution to run arbitrary code. This code will run in the security context of the logged on user. NGSS researchers have proven that code execution is possible and that the malicious media file can be activated remotely simply by rendering a specially crafted html document. It has also been discovered that the malicious file does not necessarily need to bear the extension '.xm'. This is due to the fact that 'in_mod.dll' will automatically determine which type of mod media file has been opened by performing certain tests on the file before attempting to load it. The testing is performed by passing the file through all the available loaders to see if one is able to handle it. As a result of this the malicious file can have the extension of any of the supported module file types associated with the loaders in 'in_mod.dll' and still produce the same effect.What you need to do: Nullsoft have provided a fix for this issue. Winamp version 5.03 addresses the security issue discussed in this advisory. It can be obtained the official website: http://www.winamp.com/player/ To determine which version of Winamp you are currently using, load the player, right-click the main window and select the top-most menu item, 'Nullsoft Winamp...'. In the new window which loads make sure that the 'Winamp' tab is selected and look for the copyright information, underneath this should be the version information. If you see a version and date matching 'v5.02 (x86) - Feb 4 2004' or older, it is highly recommended that you update as soon as possible. If for some reason it is impossible to download the updated version of Winamp, the vendor has informed NGSS that it is possible to disable the handling of Fasttracker 2 module files by taking the following steps: 1. Right click the Winamp player, go to 'Options' and then to 'Preferences...'. 2. In the new window which loads, go to 'Plug-ins' and 'Input'. 3. Look for the input plug-in items 'Nullsoft Module Decoder' and double click it to bring up the 'Nullsoft Module Decoder Preferences' window. 4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to the right of the loaders list. 5. Close all of the option windows and return to the main player.relevant links: http://www.techworld.com/security/news/ind...cfm?NewsID=1343 http://www.nextgenss.com/advisories/winampheap.txt Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.