- Minimal space winamp skins update#
- Minimal space winamp skins skin#
- Minimal space winamp skins code#
Which fills up the stack and finally RETs into the overwritten part of the stack. The application calls the vulnerable function.
Read this MS article to find out why this function could lead to the dangerous behaviour:
Minimal space winamp skins skin#
A bad guy can send his victim a package containing an oversized directory name as the skin-name:įinally…the applications uses a lstrcpynW (yep, it’s unicode based) call to basically work with the skin directory name to identify it in the folder - structure of WinAmp.
Minimal space winamp skins code#
But the application does not properly validate the length of the directory name before passing it as argument to a lstrcpynW call in the library gen_jumpex.dll, which leads to a buffer overflow condition with possible code execution. The first bug in CVE-2013-4694 is “remotely” exploitable - CVSSv2 score of 7,5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)! But how and where to be careful ? The application loads the directories in %PROGRAMFILES%\WinAmp\Skins on startup to determine the skins that have been installed and to list them in the application menu point "Skins" and in the Skins Browser. But both mentioned bugs are completely different and one of them is a lot more heavily weighted than the other. The first advisory consolidates and describes multiple buffer overflow conditions in different libraries of WinAmp. Other vendors should start to take a leaf out of their work! Great job guys :-)! And they did! They even produced it much faster to my surprise.
Minimal space winamp skins update#
All in all - and among all my already discovered and reported security flaws, the coordination process with Nullsoft was the most transparent and security-addicted, I ever had to deal with.īy the way…I gave them a tough timeframe of 14 days for a reliable security update (Google-Style baby :-D ), which is very minimalistic compared to the code basis! At first this was only meant to test if a big vendor is able to hold such a timeline. Except one, but after sending a second exploit - poc the last issue has been fixed quickly too. Only 5 days later I’ve received a private build including fixes for nearly all reported issues. I received an amazing fast answer from the WinAmp Team acknowledging all reported security vulnerabilities. In early June I’ve reported several security vulnerabilities in Nullsoft’s flagship product WinAmp to the devs.
0 kommentar(er)
