, The Register 2002-04-29
Users of NullSoft's popular WinAmp player should
WinAmp parses the tag's contents, and of course manipulation here is limited to what the parser is designed to accomplish. There's a lot that can't be done with this rig -- and there's probably a lot that isn't known about what can be done -- but do know that if the mini-browser is enabled, a malformed URL can cause a buffer overflow.
"If the mini-browser is enabled, Winamp will try to query a script on info.winamp.com for extra information about the song, based on data from the ID3v2 tag. The buffer overflow condition occurs when the URL string intended to be sent to the minibrowser is created. That means the buffer overflow occurs before any actual Internet connection to info.winamp.com is made," Sandblad says.
Creating the actual condition is fairly straightforward, but exploiting it isn't quite so easy. However it is possible to get to a memory address where considerable mischief can be done. This would include infecting other MP3 files on a drive or a network share. How long the blackhat development community will take to produce a handy exploitation tool is anyone's guess, but generally speaking they catch on very fast. Obviously it wouldn't hurt to upgrade from 2.79 to 2.80, since doing so is free and, we hope, painless. In lieu of that, a simple workaround is to disable the mini-browser.
Personally, I'd do both if I were using the product.
