WinXP and WinAmp Vulnerable to Malicious MP3s

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Re:Buffer overflow yet again

[Beryllium+Sphere(tm)]

This isn't exactly what you're asking about, but to Microsoft's credit they have added a flag to the compiler which adds a "canary" to the stack to detect stack-smashing. Better, the flag is on by default.

Changing "the way it handles buffers" is harder than it sounds, There's a huge amount of legacy code in shared DLLs, older operating systems and so on.

If Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture. That would be sheer hell, but at least it would contain the damage from whatever next week's security hole turns out to be.

Re:Buffer overflow yet again

[NineNine]

I dunno. Why doesn't Linux handle buffer overflows, also? There are always buffer overflow bugs in various apps, like Apache, the PHP mod, etc. Maybe there's no good way of doing it?

I have to hand it to Bill on this

[TerryAtWork]

I was sent and installed the fix before I read about the vulnerability.

Re:Effects more then you realize (ID3v1 vs. ID3v2)

[GreenHell]

You're exactly right.

I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)

Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.

I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.

Re:Versions??

[Edgewize]

The file winamp.exe is exactly the same.

As it should be. ID3 tags are handled by the in_mp3.dll plugin.

Re:Pathetic

[CynicTheHedgehog]

A buffer overflow means that you take a variable location, such as char songName[255], and put enough data into that buffer to reach into the executable portion of the code in memory. Then, when some function returns, or execution branches, or something loops, part of that data will be at the address of the code that formerly handled the return, branch, or loop, and will get executed as if it were the next instruction.

Any buffer lacking good bounds checking is subject to this.