Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow (AVI_INFO_Chunk_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, IBM Security Network Protection, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix):

This event detects a specially-crafted AVI file with an 'INFO' LIST that may cause an integer overflow in Nullsoft Winamp, possibly allowing remote code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2720, RealSecure Server Sensor: XPU 32.010, IBM Security Host Protection for Desktops: 2720, Proventia Network IDS: XPU 32.010, Proventia Network MFS: XPU 32.010, Proventia-G 1.1 and earlier: XPU 32.010, IBM Security Network Protection: 5.1, Proventia Network IPS: XPU 32.010, Virtual Server Protection for Vmware: XPU 32.010, Proventia Server IPS for Linux technology: 32.010, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Nullsoft Winamp: 5.12, Nullsoft Winamp: 5.11, Nullsoft Winamp: 5.094, Nullsoft Winamp: 5.24, Nullsoft Winamp: 5.33, Nullsoft Winamp: 5.3, Nullsoft Winamp: 5.35, Nullsoft Winamp: 5.21, Nullsoft Winamp: 5.5, Nullsoft Winamp: 5.51, Nullsoft Winamp: 5.0, Nullsoft Winamp: 5.13, Nullsoft Winamp: 5.2, Nullsoft Winamp: 5.22, Nullsoft Winamp: 5.0.1, Nullsoft Winamp: 5.0.2, Nullsoft Winamp: 5.31, Nullsoft Winamp: 5.34, Nullsoft Winamp: 5.52, Nullsoft Winamp: 5.54, Nullsoft Winamp: 5.541, Nullsoft Winamp: 5.55, Nullsoft Winamp: 5.552, Nullsoft Winamp: 5.56, Nullsoft Winamp: 5.6, NullSoft Winamp: 5.6.1, NullSoft Winamp: 5.621, Nullsoft Winamp: 5.34a, Nullsoft Winamp: 5.601, Nullsoft Winamp: 5.61, Nullsoft Winamp: 5.622, Nullsoft Winamp: 5.0.3, Nullsoft Winamp: 5.0.3a, Nullsoft Winamp: 5.0.4, Nullsoft Winamp: 5.0.5, Nullsoft Winamp: 5.0.6, Nullsoft Winamp: 5.0.7, Nullsoft Winamp: 5.0.8, Nullsoft Winamp: 5.0.8c, Nullsoft Winamp: 5.0.9, Nullsoft Winamp: 5.0.91, Nullsoft Winamp: 5.3.2

Type

Unauthorized Access Attempt

Vulnerability description

Nullsoft Winamp is vulnerable to heap-based buffer overflow, caused by an integer overflow in in_avi.dll and in_mod.dll when parsing malicious .avi files. By persuading a victim to open a specially-crafted AVI file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

How to remove this vulnerability

Upgrade to the latest version of Winamp 5.623, available from the Winamp Web site. See References.

References

Secunia Research 12/12/2011
Winamp AVI Parsing Two Integer Overflow Vulnerabilities
http://secunia.com/secunia_research/2011-81/

Winamp Web Site
Winamp Media Player - MP3, Video, and Music Player - Winamp
http://www.winamp.com/

ISS X-Force
Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow
http://www.iss.net/security_center/static/71757.php

CVE
CVE-2011-3834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3834