Reappearance/Mutation of Buffer Overflow in ID3v2 tags

 


Summary

To allow users of WinAmp the ability to keep track of the MP3 music files they are using, WinAmp uses an ID3 tag in which the user can enter title, artist, album and other information. However, if too much data is entered into these ID3 tags, the program has buffer overflow vulnerability. The bug was originally fixed throughout version 2, but has since returned in version 5 with a mutation.


Application Description

NullSoft's WinAmp is a multimedia player designed mostly for playing MP3 music files. The player makes use of ID3 tags, which allow users to record information about the song, such as the artist, title, track number, etc.

WinAmp v2.79
WinAmp v5.03

 


Test Design

This example demonstrates the use of Regression testing. We use Regression testing to ensure that the bugs we have already encountered do not reappear in later versions of the program after they have been fixed. Regression testing is not a specified type of testing, rather it is more the awareness and implementation of past testing techniques to monitor applications for the reappearance of issues or the breaking of a working function by new code.

In this example on ID3 tags in WinAmp, we have many different input boxes and types of input that can go in those boxes. Regardless of what is put into these boxes, it is the amount of information that is important here. Buffer overflows occur when too much memory is used and not enough memory was allocated. The result is that return calls for functions can be lost or overwritten, allowing malicious users the ability to access and modify other parts of a system.

This is the same test that was performed on version 2.79 of WinAmp, and 2 major releases later (as there was no version 4), we find that NullSoft's overhaul of the WinAmp code has reallowed the bug to appear.

Regression testing is a very necessary technique for maintaining a stable product release (one that is at least as stable as the releases before in terms of the same features). We observe the results of a regression test by directly examining the program's reaction to the tests that have previously been run before, and expect to receive the same result as we did upon a previous successful run of the test (the result we recieved once the bug was corrected).


Performing the Test

  1. Start WinAmp v5.03 and open an “.mp3” file by clicking on .
  2. Open up the ID3 tag editor by clicking either pressing Alt+3 or right-clicking on the song in the playlist window and selecting File Info.
  3. In the ID3 tag window, make sure only the ID3v2 tag is selected in the check box:

  4. In the 'Title' field, paste a large amount of text.
  5. Repeat step 4 with the 'Artist' field.

  6. Click 'Update' to return to the main WinAmp window.
  7. Click on to play the file.

Results/Relevance

After pressing multiple times, try bringing down the 'View' or 'Options' menus. Each time you pressed , it added more and more duplicate menu options into the menu:

Performing this same test in WinAmp v2.79 will elicit different results, but it is still illustrates an exploitable buffer overflow, which could allow a user to alter or damage information on another user's computer. Regression testing allowed us to reuse the same tests to locate this older bug by testing for errors that WinAmp had in the past. In WinAmp v2.79, instead of the menus being altered, the program would actually crash with the following error:

This is a highly critical bug, as buffer overflows can be very dangerous. Malicious users can find ways to execute computer code to run with the buffer overflow, such that WinAmp might then call another program to perform a task or damage files on a user's harddrive.

While Risk-based testing originally helped us to quickly and easily locate this buffer overflow originally, by Regression testing with our original test, we were able to keep track of whether or not the bug would reappear.


Similar Tests/Additional Notes

Try performing the same or similar tests in older/newer versions of WinAmp and observe the results. Similarly, try entering large amounts of text into limited fields inside some other programs, such as word processors or Internet browsers.


Configuration Notes

Testing NullSoft's WinAmp v5.03 on:


Created 31 May 2004 for the CSTER

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.