Winamp (5.61 - 5.623) Audio Video Interleave (AVI) Multiple Denial of Service Vulnerabilities
fuzzing, security, blackbox, tests, winamp.exe, DoS, AVI
Winamp (5.61 - 5.623) Audio Video Interleave (AVI) Multiple Denial of Service Vulnerabilities
FMA-2011-008
Winamp
5.623
http://www.winamp.com
winamp.exe
5.6.2.3199
AD7ADADC77482FCB855B279CA0204E2A
in_avi.dll
Original
4BA77D39DA74EB0D1102952D20711975
in_avi.dll
First fixes
0EE7B79222D4BD269B476FC0F1AC31E0
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows 7 SP1 Home Premium
2011.03.27
2012.03.26
2012.07.10
Denial of Service during processing malformed AVI sample, caused by null pointer dereference in in_avi.dll module at address 0x075A40F1.
DoS
Access violation exception is caused by reading DWORD value from null pointer.
Access violation exception when reading.
075A40EE 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4]
075A40F1 8B40 14 MOV EAX,DWORD PTR DS:[EAX+14] ; null pointer dereference
075A40F4 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
075A40F7 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
075A40FA B8 74E35A07 MOV EAX,in_avi_1.075AE374
075A40FF E8 67090000 CALL in_avi_1.075A4A6B
image01s.png
100
61
image01.png
Access violation exception when reading
Access violation exception when reading
Denial of Service during processing malformed AVI sample, caused by integer division by zero in in_avi.dll module at address 0x075A89D4.
DoS
Integer division by zero.
Integer division by zero.
075A89CA 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14] ; ECX == 0
075A89CE 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; EAX == 0
075A89D2 33D2 XOR EDX,EDX ; EDX == 0
075A89D4 F7F1 DIV ECX ; Integer division by zero
image02s.png
100
61
image02.png
Integer division by zero exception
Integer division by zero exception
Denial of Service during processing malformed AVI sample, caused by integer division by zero in in_avi.dll module at address 0x018289F4.
DoS
FuzzMyApp received fixed version of in_avi.dll plugin for verification purposes. After a quick fuzzing of the new plugin, we came up with new vulnerable samples. The new sample was a copy of previous vulnerability: Denial of Service during processing malformed AVI sample, caused by integer division by zero in in_avi.dll module at address 0x075A89D4.
Integer division by zero exception
018289EA 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14] ; ECX == 0
018289EE 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; EAX == 0
018289F2 33D2 XOR EDX,EDX ; EDX == 0
018289F4 F7F1 DIV ECX ; Integer division by zero
image03s.png
100
74
image03.png
Integer division by zero exception
Integer division by zero exception