Center for Software Testing Education & Research

Buffer Overflow with ID3v2 Tags in WinAmp

Summary

To allow users of WinAmp the ability to keep track of the MP3 music files they are using, WinAmp uses an ID3 tag in which the user can enter title, artist, album and other information. However, if too much data is entered into these ID3 tags, the program crashes due to a buffer overflow vulnerability.

Application Description

NullSoft's WinAmp is a multimedia player designed mostly for playing mp3 music files. The player makes use of ID3 tags, which allow users to record information about the song, such as the artist, title, track number, etc.

Test Design

This example demonstrates the use of Risk-based testing. In Risk-based testing, we look for things in one application that commonly fail in many applications. Risk-based testing helps narrow the testing focus to areas that we know have problems. We look at a function with the educated expectation of a certain kind of failure, rather than with a certain correct output.

In this presentation, we are giving the ID3 tags a faulty input in an effort to test for the risk of a buffer overflow (where too much information is put into a buffer that an application does not correctly limit the size of), which we would observe be seeing a Windows prompt telling us that it was unable to correctly write to a memory location. Buffer overflows are used by malicious users to insert execute computer code that can potentially cause damage to stored information.

Performing the Test

1. Start WinAmp v2.76 and open an “.mp3” file by clicking on .
2. Open up the ID3 tag editor by clicking either pressing Alt+3 or right-clicking on the song in the playlist window and selecting File Info.
3. In the ID3 tag window, make sure only the ID3v2 tag is selected in the check box:
   

   

4. In the 'Title' field, paste a large amount of text.
   • To do this, open a word processor and press and hold a letter key down for a long time, then copy and paste the text to double its length, and so on. Try to collect about 30,000 characters, and paste them into the 'Title' field in the ID3v2 tag.
5. Repeat step 4 with the 'Artist' field.
   

   

6. Click 'Update' to return to WinAmp.
7. Click on to play the file.

Results/Relevance

After pressing , WinAmp tried to load the ID3v2 tag, but the amount of information in the tag was larger than the amount of memory that WinAmp had allotted for it, a buffer overflow.

This is a highly critical bug, as buffer overflows are very exploitable. Malicious users can easily find ways to execute computer code to run with the buffer overflow, such that WinAmp might then call another program or damage files on a user's harddrive.

Risk-based testing allowed us to quickly and easily locate this buffer overflow because we looked at what we had for inputs (a text field) and what exploits commonly come with text fields (buffer overflows). With this expectation, we know relatively quickly what to test first and how to test for it.

Similar Tests/Additional Notes

Try performing the same or similar tests in older/newer versions of WinAmp and observe the results. Similarly, try entering large amounts of text into limited fields inside some other programs, such as word processors or Internet browsers.

Configuration Notes

Testing NullSoft's WinAmp v2.79 on:

• a Dell OptiPlex GX240, with
• Microsoft WindowsXP, SP1
• 256 MB SDRAM
• ATI Rage 128 Pro Ultra
• Intel Pentium IV processor, 1.69 GHz

Created 09 June 2004 for the CSTER

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.