AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com
Severity: Important - Potencial remote code execution.
Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007
(on Windows XP SP1/SP2).
Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt
0. DISCLAIMER
Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.
I. BACKGROUND
Nullsoft is the most popular multimedia player in the world.
in_mod.dll is a one of Winamp plugins.
II. DESCRIPTION
The problem takes place when Winamp is trying to play specially
crafted .S3M file.
S3M is the file format used by the popular ScreamTracker 3 PC music
tracker. The S3M format is an advanced module format, and is the successor
to the STM format used by the original ScreamTracker. Both formats are based
on the original MOD format used on the Commodore Amiga computer.
Take a look a this code snipet:
----// SNIP SNIP //-------------------------------------------------
.text:00E9BB54 write_loop: ; CODE XREF: sub_E9B964+239�j
.text:00E9BB54 mov edx, [ebp+arg_0]
.text:00E9BB57 mov ecx, [esi+18h]
.text:00E9BB5A mov dx, [eax+edx*2]
.text:00E9BB5E mov [eax+ecx*2], dx
.text:00E9BB62 mov eax, [esi+370h]
.text:00E9BB68 mov ecx, [esi+18h]
.text:00E9BB6B mov cx, [eax+ecx*2]
.text:00E9BB6F cmp cx, [ebx+24h]
.text:00E9BB73 jnb short loc_E9BB93 ; *(0)
.text:00E9BB75 mov al, [esi+18h]
.text:00E9BB78 mov ecx, [ebp+arg_0]
.text:00E9BB7B mov [ecx+ebx+0A8h], al : *(A)
.text:00E9BB82 mov eax, [esi+370h]
.text:00E9BB88 cmp word ptr [eax+ecx*2], 0FEh
.text:00E9BB8E jnb short loc_E9BB93
.text:00E9BB90 inc dword ptr [esi+18h]
.text:00E9BB93
.text:00E9BB93 loc_E9BB93: ; CODE XREF: sub_E9B964+20F�j
.text:00E9BB93 ; sub_E9B964+22A�j
.text:00E9BB93 movzx ecx, word ptr [ebx+20h] ; *(B)
.text:00E9BB97 inc [ebp+arg_0]
.text:00E9BB9A cmp [ebp+arg_0], ecx ; *(C)
.text:00E9BB9D jb short write_loop
----// SNIP SNIP //-------------------------------------------------
Where:
EBX = the base of S3M header in the memory
EBX+20h = offset 0x20 in the S3M file
EBX+24h = offset 0x24 in the S3M file
arg_0 = is a counter (increasing per one every loop, look at 0x00E9BB97)
When jump at instruction *(0) is not taken (dword value from [eax+ecx*2] is below
dword value from [ebx+24], which we control) we are landing at 0x00E9BB75.
The al register is loaded with one byte from [esi+18h], which is also increased
by one every loop (look at 0x00E9BB90). Then at 0x00E9BB78, ECX becomes loaded
with the counter varible (also increased per one every loop). The instruction marked
as *(A) stores the byte previously loaded in AL into the memory location computed
with EBX=memory_base / ECX = linear counter and const imm data equal to 0xA8.
As you can see at 0x00E9BB93 (marked as *(B)), the CX becomes equal to two bytes
which we control in the file structure (offset 0x20). Rest of the ECX register
is extended to zero. Then at instruction *(C) the arg_0 counter is comparised with
our value from ECX, and if it's below (CF=1) the loop is continued.
As you can see, for example by changing the [ebx+20h] value we can own the number
of cycles of this write_loop. This leads to memory corruption.
Although exploitation is hard, due to the fact the AL register value at point *(A)
is not initalized by attacker, which like i have previously mentioned, it is not const
(it is increased at 0x00E9BB90).
III. IMPACT
Successful exploitation may allow the attacker to run arbitrary code in
context of user running AOL Nullsoft Winamp.
IV. VENDOR RESPONSE
Due to the fact i was looking for a AOL NULLSOFT contact for over 30 minutes with
no effect, i got finally bored and i haven't notified them at all.