WinXP and WinAmp Vulnerable to Malicious MP3s

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Uh Oh

[Jaysyn]

I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.

Jaysyn

Re:Uh Oh

[Jugalator]

Uh oh. I think they already infected my computer when I d/l:ed some christmas mu*?DZMV*Z@@@@+++ KNEEL BEFORE HILLARY ROSEN +++""!##""!1!!1.

NO CARRIER

Don't worry

[Psmylie]

This is all part of the Berman Bill.

"hack me baby one more time"

[sweeney37]

looks like listening to the newest Britney Spears album will result in more than just bad taste.

Mike

Buffer overflow yet again

[graikor]

Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?

Re:Buffer overflow yet again

[Frosty+Inc.]

Because it would cost a lot of money to design and implement, something Microsoft doesn't hav...

Oh, wait a minute...

Re:Buffer overflow yet again

[Beryllium+Sphere(tm)]

This isn't exactly what you're asking about, but to Microsoft's credit they have added a flag to the compiler which adds a "canary" to the stack to detect stack-smashing. Better, the flag is on by default.

Changing "the way it handles buffers" is harder than it sounds, There's a huge amount of legacy code in shared DLLs, older operating systems and so on.

If Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture. That would be sheer hell, but at least it would contain the damage from whatever next week's security hole turns out to be.

Re:Buffer overflow yet again

[NineNine]

I dunno. Why doesn't Linux handle buffer overflows, also? There are always buffer overflow bugs in various apps, like Apache, the PHP mod, etc. Maybe there's no good way of doing it?

Re:Buffer overflow yet again

[__aanonl8035]

I just wanted to point people to
a project that tries to catch buffer
overflows under linux.

freshmeat entry
homepage

So click the update button

[AKnightCowboy]

Click the Windows Update button and reboot and you're fixed. Or if you're like many people, the fix has already installed during an automatic update check last night. This isn't really news unless Slashdot is merging with Bugtraq (Slashtraq? Bugdot?). Are we just posting this to bash Microsoft once again? Automatic updates were one of the best new features they added to Windows and they make life much easier. Oh and no, I don't wrap tinfoil around my head worrying whether Microsoft is going to invade my PC and lock me out of it.

Re:So click the update button

[div_2n]

So if NT SP4 had been automatically updating servers and workstations everywhere, that would have been a good thing?

You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.

I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.

What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?

IMHO, automatic updating is a monumental disaster waiting to happen.

Re:So click the update button

[MacAndrew]

Like another poster I am very wary of updates to anything. Not needing a security patch in the first place is a heckuva lot better than beta testing a hastily written patch for free. Then there are th people who get nailed in the interim.

Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?

I don't buy that automatic bandaids are the answer to hemmoraging code.

Re:So click the update button

[aardvarkjoe]

(I really wish they'd inform users WHY submissions were rejected; even if only a one-word description, like "duplicate", "absurd", "false", "flamebait", etc.)

What gives you the idea that they would reject a story for any of those reasons? That sounds like a description of the front page to me.

Why does this matter to /.-ers?

[toupsie]

You guys are all supposed to be using Ogg anyways! That way you can act like you are a snooty audiophile anytime a MP3 story is posted...

Re:Why does this matter to /.-ers?

[13Echo]

Most people don't use Ogg Vorbis for the quality. They use it for the license.

In high bitrate modes, there is little difference between properly encoded MP3s and OGG files. And high bitrate is what really matters, unless you are streaming over a low bandwidth connection (in which OGG is the clear winner due to size).

Maybe your comment would make sense if you were referring to something like FLAC from http://flac.sourceforge.net/ . MP3 and OGG are both lossy, so you really can't be a snooty audiophile if you use them. ;)

Don't even need to have the file local?

[Jugalator]

From Microsoft:

An attacker might attempt to exploit this in one of three ways:

* Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.

Eep!

* Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.

Gaah!

Also, it seems you can send an e-mail with the mp3 object in a frame (this is the third way of exploiting it) so you don't even need to click a link in Outlook / OE for it to be run. This shouldn't be possible on XP SP1 or a recently patched IE though.

Re:won't affect most people

[Jucius+Maximus]

"This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small."

That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.

The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!

Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)

Re:Obvious reply

[archen]

All file formats are safe, it's just the programs that read them.

In defense of Microsoft...

[MacAndrew]

Oh, just kidding. :)

I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.

So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.

Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.

I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.

Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?

Share your concise insightful informative nonprofane fact-based reactions from experience? :)

Re:In defense of Microsoft...

[Sloppy]

It has to be a problem of values. Buffer overflows have been biting people in the ass for a long time now, everyone knows they are very serious, and programmers who know what they're doing can easily avoid them.

If Microsoft is still shipping them, it has to either be because they think it's just not important enough to worry about, or because they don't have the resources to hire decent programmers. The rumors going around indicate that Microsoft has abundant resources.

Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.

For some reason, this has never happened, even though the the opportunity has been there for many years. My guess is that the kind of people who write Worms For Windows, enjoy the fun of it, and know that if they ever write a truly nasty one (massively destructive payload with a time-delay so that it can spread before detonating), there will be a crackdown (either legal or technical) and then the fun will be over. Perhaps that is why Microsoft considers security unimportant: so far there haven't been any serious incidents.

Versions??

[bconway]

Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?

Re:Versions??

[Edgewize]

The file winamp.exe is exactly the same.

As it should be. ID3 tags are handled by the in_mp3.dll plugin.

Re:Versions??

[jakobgrimstveit]

This vulnerability was fixed a long time ago in WinAmp. It's only Windows XP that's a bit behind in patches at times :-). The files in the winamp281.exe archive has old dates.

WILL affect most people

[gosand]

This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?

The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.

I have to hand it to Bill on this

[TerryAtWork]

I was sent and installed the fix before I read about the vulnerability.

Explorer workaround

[stratjakt]

Tools->Folder Options

set Web View to "Use Windows Classic Folders"

I've always done this, having never trusted 'web content' in any folder I browse to (nor needing the extra overhead it causes drawing thumbnails of bitmaps and whatnot)

I believe any Windows that's upgraded to Media Player 7.1 and/or IE6 would be vulnerable, not just XP?

Re:Effects more then you realize (ID3v1 vs. ID3v2)

[GreenHell]

You're exactly right.

I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)

Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.

I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.

Re:Subject : Name : AC

[doofusclam]

Thats a feeble excuse for switching to Vorbis regardless of the merits of this format. It's like saying "They found vulnerabilities in Apache so i'm gonna change my webserver to something else"

I'm sure there are exploitable buffer overflows in Vorbis too but as the format is so little used (relatively), hackers ain't looking for them. The day Vorbis is more popular than mp3 is the day the hackers change what they're targeting.

seany

The Next Nimda.

[Deathlizard]

And I thought Nimda was bad.

When all of the college students here on campus had read/write shares on the network, Nimda Spread at an alarming rate, Especially since WinXP Home decided that you SHOULD have your Shared Documents folder open for read/write access after running one of those networking wizards.

I could only imagine the hell a Modified Nimda would be if it can now infect mp3 files. It wouldn't even have to spread infected .eml files anymore. you would just see a new MP3 in your read/write network share with thousands of other MP3's so you would never find it and it would infect all of your MP3's in your read/write network share. Once you open the folder to pick a song it runs and infects all of your mp3's on the PC, then goes out and proceeds to infect every mp3 it can write to on the network that has read/write shares and the process starts all over again while it formats your hard drive 7 days later.

It's the RIAA Dream come true :P

Suggestion: Operation So Happy It's Thursday

[wowbagger]

There's a running joke where I work that it is not officially Thursday until the Microsoft exploit of the week is released (of late this seems to happen on Thursday).

So, why not make it official - I propose

Operation: So Happy It's Thursday

What I recommend is that everybody who finds an exploit in Windows release it on Thursday.

NOTE: be fair - a bug in a Windows APP that is not a part of Windows doesn't count - so the bug in Winamp doesn't count, but the bug in the Windows shell does.

Re:How does a buffer overflow allow code execution

[pclminion]

Because of the way data is stored in memory. It is common in C code to declare buffers as local variables, causing them to be allocated from the stack. The stack, as it happens, is also used for execution control.

By overflowing a buffer on the stack, it's possible to maliciously change a particular piece of information (the function call return address) to cause the program to jump to a new piece of code: the code you just overflowed the buffer with!

Stack overflow exploits are very common because programmers often declare fixed-length buffers as stack variables and are too lazy to perform proper checking to make sure data never overflows the buffer. This problem in WinAmp is no different than any other buffer overflow, it's just much more severe due to its widespread use.

It's a good think I have Linux

[jmcnamera]

It's good that I have linux since it **never** has buffer overflows. Nor does any other open source software.

Snooty audiophiles

[wowbagger]

Snooty audiophiles won't like FLAC, either.

A snooty audiophile sneers at any form of digitization - "You aren't getting all of the music - Yes, I know you are sampling a 1GHz, 64 bits per sample, but you aren't getting all the music! Only analog gets all the music! I don't care that what you are missing wouldn't amount to the width of a hydrogen atom on my beloved LP - YOU AREN'T GETTING ALL THE MUSIC"

That's what a snooty audiophile would say.

Re:Snooty audiophiles

[wowbagger]

Rather my point - audiophiles are not rational individuals who are well versed in signal processing theory, they are rabid indiviuals who's sound systems are a penis substitute.

Hence why audiophiles hate modern sound systems - it is far too easy to get great sound reproduction nowadays, and how are you to demonstrate how large you are when a $19 CD player sounds as good as your $3000 turntable?

That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"

foobar2000

[slothdog]

Apparently the current underground favorite audio player for Windows is foobar2000, which was written by a former Nullsoft developer (Peter P. aka zZzZzZz). It supports mp3, ogg, ape, flac, mpc, and relevant to the article has abandoned ID3V2 support in favor of APEV2 tags. (And it's been suggested that the source will be released in the near future.) Supposedly the audiophile geeks at hydrogenaudio.org can hear quality improvements over Winamp, although even the developer suggests that it's probably a placebo effect.

Just don't expect too much; it's a very minimalist GUI (what mean these "skinz" of which you speak?), and doesn't support Win9x/NT4.

There's also a support forum for the player.

Hey idiots, strcpy bad!

[hoggoth]

OK class, has anyone figured this out yet?
Buffer overflows are bad.

It is easy to STOP buffer overflows just by using SAFE strcpy functions that don't blindly copy past the end of a buffer.
Since we've known this for many many years, why do programmers still USE dumb functions that allow buffer overflows?!

Hey Microsoft, since you are spending so much on improving security, I have a hint for you. Print this out and make all your programmers pin it on their cubicles walls:

BAD: strcpy
GOOD: strncpy

Copy and Paste into your MP3s

[teamhasnoi]

10 Print "Windows Luser! You will Pay for Your Insolence!"
20 Print "Bill Gates laughs as he rolls about with his concubines!"
30 Print "Prepare for judgement!"
40 Input "Press any key";A$
50 If A$="AnyKey" Then fucksomeshitup;
60 W00t: Poke InChest;
70 Run "BSOD.exe -Playfile BritneySpears,HitMeOneMoreTime"
80 Print "This is what it sounds like when doves cry! Bwahaha!"
90 Goto 10

You should be able to find this on SourceForge too.

Re:Pathetic

[CynicTheHedgehog]

A buffer overflow means that you take a variable location, such as char songName[255], and put enough data into that buffer to reach into the executable portion of the code in memory. Then, when some function returns, or execution branches, or something loops, part of that data will be at the address of the code that formerly handled the return, branch, or loop, and will get executed as if it were the next instruction.

Any buffer lacking good bounds checking is subject to this.

Maybe my mind's in the gutter...

[Thud457]

but I really could have done without the mental image you just gave me! Worse than goatse. ugh.

Re:What if this IS the plan?

[Didion+Sprague]

Which brings me to a slightly off-topic question (but not that far off-topic): won't it take just a single compomised DRM file on whatever platform to completely send the whole DRM concept -- at least the generation with the single compromised file -- down the toilet?

I mean, it would seem to me that Microsoft's DRM -- or DRM in general -- is based somewhat on "human" trust. Once that trust is abrogated -- just once -- the whole thing spirals into a "well, it's still pretty secure" type of situation -- and then sprials into "wait'll next generation's DRM. It'll be secure as hell."

I know no cryto scheme is 100% -- at least in theory -- but because the consumer/DRM stuff is being built up and hyped so much lately, it seems that its potential -- potential for complete security, potential for complete failure -- far outstrips the more practical, usability/crackability aspects.

And then I wonder: once this sort of consumer/DRM is launched mainstream, it'll become -- eventually -- embedded into the economic model for distribution. But once this DRM stuff is cracked or broken or whatever happens, the DRM itself will fall apart, as well the economic model. And companies who go balls-out to invest in this stuff -- and work hard to secure the "human" trust aspect of it -- will be in dire, dire straits -- economically, technologically, you name it.

DRM is like a massive WMD waiting to be let loose. It's failure -- assuming it fails at least once a generation -- will sink more companies than I think anyone realizes.

Just some thoughts.

strncpy bad, strlcpy good

[nestler]

99% of people using strncpy don't actually bother to read the definition of what it actually does.

Hint, this code is buggy:
char buf[1024];
strncpy(buf, big_ass_string, sizeof buf);

strncpy doesn't bother adding a null-terminator in the case where big_ass_string is too big. Most people don't realize that they have to do all of this to be safe with strncpy:
strncpy(buf, big_ass_string, sizeof buf - 1);
buf[sizeof buf - 1] = '\0';

The real solution is to use a function that doesn't have such crappy behavior: strlcpy

strlcpy(buf, big_ass_string, sizeof buf);

It always does null-termination. You never have to lie to it about the size of your string. Same goes for strncat (bad) and strlcat (good). Thank the OpenBSD developers for these. They are very useful in avoiding overflows when you don't have the option of using C++ and the string class.

Question for slashdot

[Raul654]

My advisor, DL Mills (the guy who invented NTP), said something a while back which this article somewhat reminds me of. He said that back in the day, people wrote operating systems in assembly. But the thing is, they just got way too f****** big and couldn't be maintained, even with the best of care. He said that today's operating systems are getting to that point as well, and maybe it's time for a new level of abstraction. Stuff like exception handling (amoung which automated buffer checking should be one), garbage collection, etc, should be built into the language, and leave the programmer to concentrate on more important things.

So my question is, does anyone have any idea what this "new level of abstraction" might be?

Re:Question for slashdot

[frank_adrian314159]

does anyone have any idea what this "new level of abstraction" might be?

Lisp.

There's even been an OS built in the language. Seemed to work just fine. Problem was, that in those days, you needed special purpose hardware to run a Lisp-based OS on. You don't anymore, but the code has been lost to people who could do something useful with it in the mist of time and bankruptcy. Google for Genera and OpenGenera. Hint - once the base code is built into the system, you cannot have buffer overflows, uncaught exceptions, or uncaught arithmetic overflows. It's a good environment (as I can attest, having it running on my Symbolics Lisp Machine at home).

Oh yeah, they have a great OO database, decent graphics, and all of the web crap you'll ever need, too.

Re:Obvious reply

[aengblom]

All file formats are safe, it's just the programs that read them.

The correct phrasing of that is: File formats don't kill programs. Programs kill programs.

Automatic source code analysis

[alispguru]

Feeding this to Google produced 11,000 hits, with over half of the first ten being for commercial or academic systems that claim to detect potential buffer overflow code automatically. I doubt any of them is 100% accurate, but even 50% combined with "shut-up-this-code-is-safe" pragmas would be an improvement over the current situation.

Buying or installing one of these tools and running all their source code through it as part of development would cost Microsoft less than they spend on caffeinated liquids, and would pay for itself with the first potential exploit caught before shipment.

I can only ascribe people's refusal to try these tools to programmer hubris - "MY code can't be understood by a mere code analyzer".

I am rashly assuming here that Microsoft doesn't use tools like this. If anyone out there knows differently, please reply.

The changing nature of Windows exploits

[irregular_hero]

A long time ago, you could destroy your files and have a very bad day by using that floppy from your friend that had creeping crud on it.

Shortly thereafter, your files were potentially at risk from files that you spent all day downloading from a BBS. Fairly soon after that, a malicious file could sneak onto your hard drive and cause mischief once FTPed from the Internet at a bit higher of a rate. In each case, you pretty much had to type the name of the file to run it.

Enter the world of Windows. Now running the file gets a hell of a lot easier, just a few points and clicks. And obtaining those lovely infected files gets a lot easier with the faster Internet connections and new "killer apps" like Usenet, e-mail, and the World Wide Web gaining in popularity. In less than a year, these files gain literally thousands of new vectors.

Then it becomes possible to pick up an infection by receiving a file via e-mail inside a program that loves to muck about with files before you run them by, er... running them. The only user interaction required is hitting the "send/recieve" button.

After that, malicious files no longer need to be files. They can be specially formatted e-mails, and all you need to do is preview them -- you don't even have to read them -- in order to get smacked by the latest nasty bug.

Don't feel e-mail is safe? Well, it wouldn't matter if you stopped using it entirely, the creeping crud will still get in if you click on a link on the Web. And as if the front door didn't put up a paper-thin defense, the back door will allow malware to slip in via Web server software, file shares, file transfer servers, and even instant messaging.

Now what do we have?

A malicious file you only have to point at for a moment to get an infection.

You've come a long way, baby.

Re:XMMS too.

[Ducky]

Really? Where's the bug report? I don't see anything on bugs.xmms.org.

Sorry for sounding like an a-hole, but an AC exclaiming a bug in a product, no follow up on the product's web site, and no other info sounds very suspect to me.

-Ducky

True Audiophile cables!

[Theaetetus]

Hence why audiophiles hate modern sound systems - it is far too easy to get great sound reproduction nowadays, and how are you to demonstrate how large you are when a $19 CD player sounds as good as your $3000 turntable?

That is why audiophiles use "oxygen-free copper wires with authentic virgin yak wool insulation, cryogenicly treated to release signal-distorting sub-micron strain! A steal at $300/ft! Act now, and we will throw in our patented Feng Shui turntable stones - five of these will disgronificate your turntable! Normally $150 each, but a steal at $800 for a set!"

Bah, $300/ft? Are you kidding?
From Purist Audio Design:
-------
Dominus Speaker Cables (1.5 Meter)

Stereo pair of Speaker cables with fluid jacket. For more information on product, see the Product Page. Item weight per pair is 14.0 lbs.
Price each: $10,460.00
-------
So, that's about $2500/ft.

Bwhaahaahahahaha!! /me wipes eyes.

And for the record, I am not an "audiophile". I'm an audio and broadcasting engineer.

-T