wtorek, 8 listopada 2016

Playing Winamp

After a while when I started to fuzz Winamp (again), I found my old directory with some (about ~300 files) results, all ready to ‘check them later’… so I think ‘now’ is a good time to do it. Let’s get to work.



I was a little bit confused when I was planning how to separate one results from the other but finally I decide to describe below - case by case – some bugs I found during (let’s say) “last week or two” (of fuzzing multiple files extensions). I created 4 groups (basing on Windbg proposal):

PROBABLY_NOT_EXPLOITABLE:  


I choose this "group" as a first one to describe because (in my opinion) it is the easiest to ‘find out’ and/or ‘understand’ if the bug we’ve found is really ‘exploitable’* or not (where for *exploitable you will put #with-your-current-skills-right-now ;)) – so again –if ‘in my opinion’ this is a DoS or something “else” (I don’t understand yet…). So.

First case was related to M3U files. Quick review from Windbg:



We can see a crash in ntdll!wtol. (Info about the purpose of the function you will find here or here.) Below some details:






And results from 2nd link:





Let’s check more details about the crash, review of the few steps before the crash:





For me it looks like the heap crash. Another case is related to AIFF file parsing:





Very similar stacktrace (kb) and unassembled EIP (u eip; u eip-1, u eip-n…). Results below:





Next section is related to PROBABLY_EXPLOITABLE bugs. Case 1 is related to FLAC files:




REP MOVS is described here. Let’s see the stacktrace:





Let’s check u eip(-1) for better understanding what’s going on here:





Next format I decided to add to fuzzer was OGG. It seems that Winamp will crash in the same place again (as we saw before):





Another crash was related to parsing MIDI files:





I think that you can already see that for a few of last crashes, we can observe the same (crash) results. For a Microsoft Wave Sound Format (wav) we have some results too:




Checking stacktrace:





Let’s analyze the function again (u eip, and so on…):





As you can see, crash is very similar like the MIDI and OGG described before. Again stc command and again rep movs.


3rd section is related to EXPLOITABLE bugs. Let’s check few of them. First one is for MIDI file:






Looks like we spotted the heap. :) Let’s go deeper. Checking stacktrace:



Let’s find some details about next crash – this time for AIFF format again:


As you can see wtol is here again as well as realloc and calloc. Next example crash occurred for WAV format again. Below you will find some details and stacktrace:


Good. Heap allocations. ;] I also found that we can do some re/allocations by simple M3U file. Check this out:
  
More details below:


Last group was described by Windbg as UNKNOWN. Below some results for M3U file:
  
More information about InitializeCriticalSection function you will find here. And below you will find the stacktrace:


See the stacktrace for another example (described by debugger as “UNKNOWN”). This time it is related to AIFF:
  




Crash occurred here:



Last bug I decided to publish here was found for OGG format. Check the stacktrace below:



It’s crashing here:


Update: version I used for those tests:



Maybe you will find it useful.
Cheers!

Brak komentarzy:

Prześlij komentarz