WinXP and WinAmp Vulnerable to Malicious MP3s 505
mypenwry writes "Foundstone, a Mission Viejo, CA security
services company, is reporting several vulnerabilities that would allow malicious
code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp
versions 2.81 and 3.0 are vulnerable
to buffer overflows via certain long ID3v2 tags when MP3 files are loaded.
More troubling is the WinXP
vulnerability: A buffer overflow exists in Explorer's automatic reading
of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker
could create a malicious MP3 or WMA file, that if placed in an accessed folder
on a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be stored in
a folder that is browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via Internet Explorer by
loading a malicious web site. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads, or opens the
file. Windows XP's Explorer will overflow if corrupted attributes exist within
the MP3 or WMA file. Microsoft
has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."
Don't even need to have the file local? (Score:4, Informative)
An attacker might attempt to exploit this in one of three ways:
* Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.
Eep!
* Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.
Gaah!
Also, it seems you can send an e-mail with the mp3 object in a frame (this is the third way of exploiting it) so you don't even need to click a link in Outlook / OE for it to be run. This shouldn't be possible on XP SP1 or a recently patched IE though.
Re:Buffer overflow yet again (Score:5, Informative)
Changing "the way it handles buffers" is harder than it sounds, There's a huge amount of legacy code in shared DLLs, older operating systems and so on.
If Microsoft asked me to recommend a global change, I'd tell them to go through the agony of implementing least-privilege throughout their entire system architecture. That would be sheer hell, but at least it would contain the damage from whatever next week's security hole turns out to be.
Re:Buffer overflow yet again (Score:5, Informative)
I have to hand it to Bill on this (Score:5, Informative)
Explorer workaround (Score:4, Informative)
set Web View to "Use Windows Classic Folders"
I've always done this, having never trusted 'web content' in any folder I browse to (nor needing the extra overhead it causes drawing thumbnails of bitmaps and whatnot)
I believe any Windows that's upgraded to Media Player 7.1 and/or IE6 would be vulnerable, not just XP?
Re:Why are there still buffer overruns? (Score:1, Informative)
Re:Effects more then you realize (ID3v1 vs. ID3v2) (Score:5, Informative)
I think what the previous poster is thinking of is ID3v1 tags, which are located at the end of the MP3, so you don't get them until the MP3s finish downloading (and what's more, they have a fixed size so they're easy to check, but that's besides the point)
Now, this bug involves ID3v2 tags. ID3v2 tags are located at that start of the MP3, which is why when you add one to a MP3 playing in Winamp you get a brief pause, it has to add it to the start of the file. Therefore, any MP3 with an ID3v2 tag will already have the potential of compromising you by the time it's downloaded enough to play part of the song if you preview them using Winamp.
I don't know how Explorer checks file attributes on MP3s, but I'm assuming that you're already in danger by this time too.
Re:won't affect most people (Score:3, Informative)
Read the Microsoft Bulletin [microsoft.com] (which I got yesterday). Opening a shared directory with one of these MP3s in will trigger the attack, or even previewing an email with one of these attached will execute it.
Here's MS own words:
Re:Versions?? (Score:5, Informative)
As it should be. ID3 tags are handled by the in_mp3.dll plugin.
Re:How does a buffer overflow allow code execution (Score:3, Informative)
All you ever wanted to know, and then some...
Won't work (Score:2, Informative)
is running XP (hate all that crap also)
Look in a folder that contains only music files
(as most people usually have a folder just for
that).
At first, Windows treats it like any other folder
and displays only the filename, size, type and
mod date. After a while however, it seems to
figure out that it contains music files and starts
reading to ID tags. No idea how or why it
happens.
Re:How does a buffer overflow allow code execution (Score:4, Informative)
By overflowing a buffer on the stack, it's possible to maliciously change a particular piece of information (the function call return address) to cause the program to jump to a new piece of code: the code you just overflowed the buffer with!
Stack overflow exploits are very common because programmers often declare fixed-length buffers as stack variables and are too lazy to perform proper checking to make sure data never overflows the buffer. This problem in WinAmp is no different than any other buffer overflow, it's just much more severe due to its widespread use.
foobar2000 (Score:4, Informative)
Just don't expect too much; it's a very minimalist GUI (what mean these "skinz" of which you speak?), and doesn't support Win9x/NT4.
There's also a support forum [hydrogenaudio.org] for the player.
Hey idiots, strcpy bad! (Score:4, Informative)
Buffer overflows are bad.
It is easy to STOP buffer overflows just by using SAFE strcpy functions that don't blindly copy past the end of a buffer.
Since we've known this for many many years, why do programmers still USE dumb functions that allow buffer overflows?!
Hey Microsoft, since you are spending so much on improving security, I have a hint for you. Print this out and make all your programmers pin it on their cubicles walls:
BAD: strcpy
GOOD: strncpy
Re:Versions?? (Score:4, Informative)
Re:Pathetic (Score:5, Informative)
Any buffer lacking good bounds checking is subject to this.
Re:How does a buffer overflow allow code execution (Score:2, Informative)
Let's say that you have an array, x[20]. It is 20 bytes long. This array starts at memory location 149300. This means that the bytes 149300 - 149319 are reserved as being part of the variable called x. Now, lets say that in this array, you decide to store a string of letters (an ID3 tag, for example). If you allow the user to input the letters into x, without checking the maximum length, then the user can start writing data past x[19]. For example, if the user inputs a string that is 30 characters long, data will be written from bytes 149300 - 149329 in memory, even though you only allocated the memory through location 149319. This means that the user has the ability to write to other data in the computer.
Now, here comes the fun part. If the user (a cracker, at this point), knows where the operating system code lives in memory, he can just input a string that is long enough and eventually overwrite the operating system code. He can carefully craft the string as his own little bits of code which can do nasty things. This is how a buffer overflow works.
I have always thought that this was more of a problem with C than a problem with Windows, since C should really check for stuff like this (or handle strings better). However, it might be kind of hard for the compiler to be able to check for this. The only way to really prevent these is good programming habits - but people make mistakes all the time.
Hope that helps!
Regards, Montag
strncpy bad, strlcpy good (Score:4, Informative)
Hint, this code is buggy:
char buf[1024];
strncpy(buf, big_ass_string, sizeof buf);
strncpy doesn't bother adding a null-terminator in the case where big_ass_string is too big. Most people don't realize that they have to do all of this to be safe with strncpy:
strncpy(buf, big_ass_string, sizeof buf - 1);
buf[sizeof buf - 1] = '\0';
The real solution is to use a function that doesn't have such crappy behavior: strlcpy
strlcpy(buf, big_ass_string, sizeof buf);
It always does null-termination. You never have to lie to it about the size of your string. Same goes for strncat (bad) and strlcat (good). Thank the OpenBSD developers for these. They are very useful in avoiding overflows when you don't have the option of using C++ and the string class.
Re:Pathetic (Score:2, Informative)
You'd better check (Score:3, Informative)
One buffer overflow exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in Winamp 3.0 (latest 3.x release). The Winamp 2.81 overflow is with the handling of the Artist ID3v2 tag upon immediate loading of an MP3. The two Winamp 3.0 overflows are present in Media Library's handling of the Artist and Album ID3v2 tags.
There is often the flawed assumption in these reports that people always use the latest version of a particular app. Yes, I know that it would be hard to get and test all versions, but they could at least find out from Nullsoft and indicate what range of versions might be vulnerable.
Nullsoft (bless them - I love Winamp) has an annoying habit of removing or changing features that I like in the minor rev's, which is why I stick to certain versions. I use Winamp 2.50e and 2.78 on various machines. I also have 2.09, 2.70, 2.72 and 2.81 (and a 1.xx and probably others), but don't use them for this reason. Winamp 3 was too buggy as of the build I got a couple of months ago.
Anyway, I often wonder, when I see vulnerability warnings and a version of something that I use is not specifically excluded, is it:
a) Not vulnerable?
b) Not tested for vulnerability ?
Winamp2.5 doesn't handle ID3v2, so it's probably OK. The ID3v2 handling was added somewhere around 2.72, IIRC, so I'll have to do some checking. You might want to check yours as well.
I'd hate be forced to abandon my beloved older Winamps because there's no fix, but that may happen.
Re:Automatic source code analysis (Score:2, Informative)
Re:Buffer overflow yet again (Score:3, Informative)
It is not a sufficient solution to prevent programmers making mistakes.
Re:Except that C... (Score:3, Informative)
Re:Except that C... (Score:2, Informative)
Compiler Optimizations
Range check elimination: The Java programming language specification requires array bounds checking to be performed with each array access. An index bounds check can be eliminated when the compiler can prove that an index used for an array access is within bounds.
(from Hotpot Documentation [sun.com])
Which would be trivial in the case supplied.
Re:Automatic source code analysis (Score:2, Informative)
The point is, MS actually does take security seriously now. It just turns out this is a hard problem, and it's not something that has been on 90% of programmers' minds until just the last couple of years.
Re:Except that C... (Score:2, Informative)
New URL (Score:3, Informative)
Foobar2000 has a new homepage [hydrogenaudio.org]. Version 0.3 has also been released.
For those wondering what to expect, foobar2000 has a minimalist interface, but it does the job. CPU usage is very frugal and your MP3s can sound noticeably better. Why? Because clipping prevention is built-in, removing any distortion induced by overly loud signals.
I am currently running 0.3, and it's a beautiful piece of work. If you want a multi-format player that runs unobtrusively in the background while you do your other stuff, then foobar2000 is for you. At 168 KB, it's worth trying out.