Menu

Improved exploit search engine. Try it out

"Winamp 5.63 - Stack Buffer Overflow"

Author

"Julien Ahrens"

Platform

windows

Release date

2013-07-02

Release Date Title Type Platform Author
2019-06-14 "Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow" local windows "Nipun Jaswal"
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV
2019-06-11 "ProShow 9.0.3797 - Local Privilege Escalation" local windows Yonatan_Correa
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-06-07 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)" local windows SandboxEscaper
2019-06-03 "Nvidia GeForce Experience Web Helper - Command Injection" local windows "Rhino Security Labs"
2019-06-04 "DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)" local windows "Kevin Randall"
2014-11-24 "Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)" local windows anonymous
2019-05-30 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service" dos windows n1xbyte
2019-05-28 "Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass" remote windows "Faudhzan Rahman"
2019-05-23 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)" local windows SandboxEscaper
2019-05-29 "Free SMTP Server 2.5 - Denial of Service (PoC)" dos windows "Metin Yunus Kandemir"
2019-05-27 "Pidgin 2.13.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2017-10-18 "Check_MK 1.2.8p25 - Information Disclosure" webapps python "Julien Ahrens"
2017-10-13 "AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery" webapps php "Julien Ahrens"
2016-11-21 "Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal" webapps java "Julien Ahrens"
2016-07-13 "Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps xml "Julien Ahrens"
2016-05-23 "XenAPI 1.4.1 for XenForo - Multiple SQL Injections" webapps php "Julien Ahrens"
2016-02-23 "Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery" webapps json "Julien Ahrens"
2013-03-04 "HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting" webapps java "Julien Ahrens"
2012-03-08 "Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities" webapps jsp "Julien Ahrens"
2016-11-22 "AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting" webapps java "Julien Ahrens"
2012-08-27 "aoop CMS 0.3.6 - Multiple Vulnerabilities" webapps php "Julien Ahrens"
2014-02-19 "VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow" remote windows "Julien Ahrens"
2013-02-23 "Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities" remote windows "Julien Ahrens"
2014-06-01 "Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)" remote windows "Julien Ahrens"
2014-03-09 "GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution" remote windows "Julien Ahrens"
2014-02-20 "VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution" remote windows "Julien Ahrens"
2017-12-26 "Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation" local windows "Julien Ahrens"
2013-09-08 "Watchguard Server Center - Local Privilege Escalation" local windows "Julien Ahrens"
2012-03-08 "Macro Toolworks 7.5 - Local Buffer Overflow" local windows "Julien Ahrens"
2013-11-30 "Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)" local windows "Julien Ahrens"
2013-05-04 "ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow" local windows "Julien Ahrens"
2013-03-22 "Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation" local windows "Julien Ahrens"
2013-02-15 "Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption" local windows "Julien Ahrens"
2012-11-20 "FormatFactory 3.0.1 - Profile File Handling Buffer Overflow" local windows "Julien Ahrens"
2012-11-12 "Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing" local windows "Julien Ahrens"
2012-09-17 "NCMedia Sound Editor Pro 7.5.1 - 'MRUList201202.dat' File Handling Buffer Overflow" local windows "Julien Ahrens"
2014-03-17 "Free Download Manager - Stack Buffer Overflow" dos windows "Julien Ahrens"
2013-11-18 "Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow" dos windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Stack Buffer Overflow" dos windows "Julien Ahrens"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/26558/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/26558/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/26558/3455/winamp-563-stack-buffer-overflow/download/", "exploit_id": "26558", "exploit_description": "\"Winamp 5.63 - Stack Buffer Overflow\"", "exploit_date": "2013-07-02", "exploit_author": "\"Julien Ahrens\"", "exploit_type": "dos", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        WinAmp
Vendor URL:     www.winamp.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2013-06-05
Date published: 2013-07-01
CVSSv2 Score:   Bug #1: 7,5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
    Bug #2: 3,7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)
CVE:            CVE-2013-4694


2. CREDITS
----------
These vulnerabilities were discovered and researched by Julien Ahrens
from Inshell Security.


3. VERSIONS AFFECTED
--------------------
WinAmp v5.63, older versions may be affected too.


4. VULNERABILITY DESCRIPTION (BUG #1)
-------------------------------------
The application loads the directories in %PROGRAMFILES%\WinAmp\Skins on
startup to determine the skins that have been installed and to list them
in the application menu point "Skins" and in the Skins Browser. But the
application does not properly validate the length of the directory name
before passing it as argument to a lstrcpynW call in the library
gen_jumpex.dll, which leads to a buffer overflow condition with possible
code execution.

This flaw is also exploitable via the %APPDATA%\WinAmp\winamp.ini. The
application loads the contents on startup, but does not properly
validate the length of the string loaded from the "skin" key before
passing it as an argument to the same lstrcpynW call in the library
gen_jumpex.dll, which leads to the same buffer overflow condition.

An attacker either needs to trick the victim to download and apply an
arbitrary skin package in order to exploit the vulnerability or to copy
an arbitrary winamp.ini into the %APPDATA%\WinAmp directory. Successful
exploits can allow attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.


4. VULNERABILITY DESCRIPTION (BUG #2)
-------------------------------------
The application loads the string of the GUI "Search" field from the
"WinAmp Library" when entered by a user and after switching to another
menu point, but does not properly validate the length of the string
before passing it as an argument to a GetDlgItemTextW call in the
library ml_local.dll, which leads to a buffer overflow condition with
possible code execution.

An attacker needs local access to the client in order to exploit the
vulnerability. Successful exploits can allow attackers to execute
arbitrary code with the privileges of the user running the application.
Failed exploits will result in a denial-of-service condition.


5. PROOF-OF-CONCEPT (DEBUG) (Bug #1)
------------------------------------
Registers:
EAX 3B3C08EB
ECX 7C80BAFC kernel32.7C80BAFC
EDX 00430010 winamp.00430010
EBX 0000007E
ESP 00C1F290 UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 00430043 winamp.00430043
ESI 001961E8
EDI 0000060B
EIP 00430060 winamp.00430060
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty +NaN
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0  (LT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Stackview:
ESP-20   > 00430043  CC  winamp.00430043
ESP-1C   > 0043004B  KC  winamp.0043004B
ESP-18   > 7C80BAFC      kernel32.7C80BAFC
ESP-14   > 00430043  CC  winamp.00430043
ESP-10   > 00430043  CC  winamp.00430043
ESP-C    > 00430043  CC  winamp.00430043
ESP-8    > 00430043  CC  winamp.00430043
ESP-4    > 00430043  CC  winamp.00430043
ESP ==>  > 00430043  CC  winamp.00430043
ESP+4    > 00430043  CC  winamp.00430043
ESP+8    > 00430043  CC  winamp.00430043
ESP+C    > 00430043  CC  winamp.00430043
ESP+10   > 00430043  CC  winamp.00430043
ESP+14   > 00430043  CC  winamp.00430043
ESP+18   > 00430043  CC  winamp.00430043
ESP+1C   > 00430043  CC  winamp.00430043
ESP+20   > 00430043  CC  winamp.00430043

Vulnerable code part:
.text:1001A5B8                 push    eax             ; lpString2
.text:1001A5B9                 lea     eax, [ebp+String1]
.text:1001A5BF                 push    eax             ; lpString1
.text:1001A5C0                 call    ds:lstrcpynW
.text:1001A5C6                 cmp     word ptr [ebp+wParam], si
.text:1001A5CD                 jnz     short loc_1001A5E2
.text:1001A5CF                 mov     dword_100310B4, 1
.text:1001A5D9                 cmp     [ebp+String1], si
.text:1001A5E0                 jz      short loc_1001A5E8
.text:1001A5E2
.text:1001A5E2 loc_1001A5E2:                           ; CODE XREF:
sub_1001A551+7Cj
.text:1001A5E2                 mov     dword_100310B4, esi
.text:1001A5E8
.text:1001A5E8 loc_1001A5E8:                           ; CODE XREF:
sub_1001A551+8Fj
.text:1001A5E8                 pop     esi
.text:1001A5E9                 leave
.text:1001A5EA                 retn
.text:1001A5EA sub_1001A551    endp


5. PROOF-OF-CONCEPT (DEBUG) (Bug #2)
------------------------------------
Registers:
EAX 00000000
ECX 079A9D68 ml_local.079A9D68
EDX 00380608
EBX 00000000
ESP 00C1E46C UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 00430043 winamp.00430043
ESI 00000000
EDI 00000000
EIP 00430043 winamp.00430043
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Stackview:
ESP-20   > 00430043  CC  winamp.00430043
ESP-1C   > 00430043  CC  winamp.00430043
ESP-18   > 00430043  CC  winamp.00430043
ESP-14   > 00430043  CC  winamp.00430043
ESP-10   > 00430043  CC  winamp.00430043
ESP-C    > 00430043  CC  winamp.00430043
ESP-8    > 00430043  CC  winamp.00430043
ESP-4    > 00430043  CC  winamp.00430043
ESP ==>  > 00430043  CC  winamp.00430043
ESP+4    > 00430043  CC  winamp.00430043
ESP+8    > 00430043  CC  winamp.00430043
ESP+C    > 00430043  CC  winamp.00430043
ESP+10   > 00430043  CC  winamp.00430043
ESP+14   > 00430043  CC  winamp.00430043
ESP+18   > 00430043  CC  winamp.00430043
ESP+1C   > 00430043  CC  winamp.00430043
ESP+20   > 00430043  CC  winamp.00430043

Vulnerable code part:
.text:07990871                 lea     eax, [ebp+WideCharStr]
.text:07990877                 push    eax             ; lpString
.text:07990878                 push    3EEh            ; nIDDlgItem
.text:0799087D                 push    [ebp+hDlg]      ; hDlg
.text:07990880                 call    ds:GetDlgItemTextW
.text:07990886                 lea     eax, [ebp+WideCharStr]
[...]
.text:0799097C                 mov     dword_79A9D68, eax
.text:07990981                 mov     dword_79A9D70, eax
.text:07990986                 mov     dword_79A9D6C, eax
.text:0799098B                 mov     dword_79ACB54, eax
.text:07990990                 pop     ebx
.text:07990991                 leave
.text:07990992                 retn


6. SOLUTION
-----------
Update to latest version v5.64 or newer.


7. REPORT TIMELINE
------------------
2013-06-05: Discovery of the vulnerability
2013-06-06: Vendor acknowledgement of the issue
2013-06-11: Vendor already fixed this issue in v5.7 Beta build 3403
2013-06-12: Confirmation that the issue is fixed
2013-06-19: Vendor releases v5.64 which includes the fix
2013-07-01: Coordinated Disclosure


8. REFERENCES
-------------
http://security.inshell.net
http://forums.winamp.com/showthread.php?t=364291