Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow (AVI_INFO_Chunk_Overflow)

About this signature or vulnerability

Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection:

This event detects a specially-crafted AVI file with an 'INFO' LIST that may cause an integer overflow in Nullsoft Winamp, possibly allowing remote code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia-G 1.1 and earlier: XPU 32.010, Proventia Network IDS: XPU 32.010, IBM Security Host Protection for Desktops: 2720, RealSecure Server Sensor: XPU 32.010, IBM Security Host Protection for Servers (Windows): 2.1.14.2720, Proventia Network MFS: XPU 32.010, Proventia Network IPS: XPU 32.010, Proventia Server IPS for Linux technology: 32.010, Virtual Server Protection for Vmware: XPU 32.010, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Network Protection: 5.1

Systems affected

NullSoft Winamp: 5.6.1, NullSoft Winamp: 5.621, Nullsoft Winamp: 5.34a, Nullsoft Winamp: 5.601, Nullsoft Winamp: 5.61, Nullsoft Winamp: 5.622, Nullsoft Winamp: 5.0.3, Nullsoft Winamp: 5.0.3a, Nullsoft Winamp: 5.0.4, Nullsoft Winamp: 5.0.5, Nullsoft Winamp: 5.0.6, Nullsoft Winamp: 5.0.7, Nullsoft Winamp: 5.0.8, Nullsoft Winamp: 5.0.8c, Nullsoft Winamp: 5.0.9, Nullsoft Winamp: 5.0.91, Nullsoft Winamp: 5.3.2, Nullsoft Winamp: 5.56, Nullsoft Winamp: 5.6, Nullsoft Winamp: 5.552, Nullsoft Winamp: 5.54, Nullsoft Winamp: 5.52, Nullsoft Winamp: 5.13, Nullsoft Winamp: 5.22, Nullsoft Winamp: 5.2, Nullsoft Winamp: 5.0, Nullsoft Winamp: 5.0.2, Nullsoft Winamp: 5.34, Nullsoft Winamp: 5.31, Nullsoft Winamp: 5.0.1, Nullsoft Winamp: 5.55, Nullsoft Winamp: 5.541, Nullsoft Winamp: 5.33, Nullsoft Winamp: 5.3, Nullsoft Winamp: 5.35, Nullsoft Winamp: 5.21, Nullsoft Winamp: 5.5, Nullsoft Winamp: 5.51, Nullsoft Winamp: 5.24, Nullsoft Winamp: 5.094, Nullsoft Winamp: 5.11, Nullsoft Winamp: 5.12

Type

Unauthorized Access Attempt

Vulnerability description

Nullsoft Winamp is vulnerable to heap-based buffer overflow, caused by an integer overflow in in_avi.dll and in_mod.dll when parsing malicious .avi files. By persuading a victim to open a specially-crafted AVI file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.

How to remove this vulnerability

Upgrade to the latest version of Winamp 5.623, available from the Winamp Web site. See References.

References

Secunia Research 12/12/2011
Winamp AVI Parsing Two Integer Overflow Vulnerabilities
http://secunia.com/secunia_research/2011-81/

Winamp Web Site
Winamp Media Player - MP3, Video, and Music Player - Winamp
http://www.winamp.com/

ISS X-Force
Nullsoft Winamp in_avi.dll and in_mod.dll integer overflow
http://www.iss.net/security_center/static/71757.php

CVE
CVE-2011-3834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3834