Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow (AVI_INFO_Chunk_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Desktops, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Network Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix):

This event detects a specially-crafted AVI file with an 'INFO' LIST that may cause an integer overflow in Nullsoft Winamp, possibly allowing remote code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2720, RealSecure Server Sensor: XPU 32.010, IBM Security Host Protection for Desktops: 2720, Proventia Network MFS: XPU 32.010, Proventia-G 1.1 and earlier: XPU 32.010, Proventia Network IDS: XPU 32.010, IBM Security Network Protection: 5.1, Virtual Server Protection for Vmware: XPU 32.010, Proventia Server IPS for Linux technology: 32.010, Proventia Network IPS: XPU 32.010, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Nullsoft Winamp: 5.12, Nullsoft Winamp: 5.11, Nullsoft Winamp: 5.094, Nullsoft Winamp: 5.24, Nullsoft Winamp: 5.33, Nullsoft Winamp: 5.3, Nullsoft Winamp: 5.35, Nullsoft Winamp: 5.21, Nullsoft Winamp: 5.5, Nullsoft Winamp: 5.51, Nullsoft Winamp: 5.0, Nullsoft Winamp: 5.13, Nullsoft Winamp: 5.2, Nullsoft Winamp: 5.22, Nullsoft Winamp: 5.0.1, Nullsoft Winamp: 5.0.2, Nullsoft Winamp: 5.31, Nullsoft Winamp: 5.34, Nullsoft Winamp: 5.52, Nullsoft Winamp: 5.54, Nullsoft Winamp: 5.541, Nullsoft Winamp: 5.55, Nullsoft Winamp: 5.552, Nullsoft Winamp: 5.56, Nullsoft Winamp: 5.6, NullSoft Winamp: 5.6.1, NullSoft Winamp: 5.621, Nullsoft Winamp: 5.34a, Nullsoft Winamp: 5.601, Nullsoft Winamp: 5.61, Nullsoft Winamp: 5.622, Nullsoft Winamp: 5.0.3, Nullsoft Winamp: 5.0.3a, Nullsoft Winamp: 5.0.4, Nullsoft Winamp: 5.0.5, Nullsoft Winamp: 5.0.6, Nullsoft Winamp: 5.0.7, Nullsoft Winamp: 5.0.8, Nullsoft Winamp: 5.0.8c, Nullsoft Winamp: 5.0.9, Nullsoft Winamp: 5.0.91, Nullsoft Winamp: 5.3.2

Type

Unauthorized Access Attempt

Vulnerability description

Nullsoft Winamp is vulnerable to heap-based buffer overflow, caused by an integer overflow in in_avi.dll and in_mod.dll when parsing malicious .avi files. By persuading a victim to open a specially-crafted AVI file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

How to remove this vulnerability

Upgrade to the latest version of Winamp 5.623, available from the Winamp Web site. See References.

References

Secunia Research 12/12/2011
Winamp AVI Parsing Two Integer Overflow Vulnerabilities
http://secunia.com/secunia_research/2011-81/

Winamp Web Site
Winamp Media Player - MP3, Video, and Music Player - Winamp
http://www.winamp.com/

ISS X-Force
Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow
http://www.iss.net/security_center/static/71757.php

CVE
CVE-2011-3834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3834