Winamp AIFF and MP3 file buffer overflow (Winamp_AIFF_COMM_Chunk_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:

This signature finds a specially crafted COMM chunk size field that can overrun heap.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2870, RealSecure Server Sensor: XPU 33.040, Proventia Server IPS for Linux technology: 33.040, Virtual Server Protection for Vmware: XPU 33.040, Proventia Network IPS: XPU 33.040, IBM Security Host Protection for Servers (Unix): 33.040, IBM Security Host Protection for Desktops: 2870, Proventia Network IDS: XPU 33.040, Proventia-G 1.1 and earlier: XPU 33.040, Proventia Network MFS: XPU 33.040

Systems affected

Nullsoft Winamp: 2.10, Nullsoft Winamp: 2.79, Nullsoft Winamp: 2.80, Nullsoft Winamp: 2.76, Nullsoft Winamp: 2.77, Nullsoft Winamp: 2.78, Nullsoft Winamp: 2.81, Nullsoft Winamp: 3.0, Nullsoft Winamp: 2.91, Nullsoft Winamp: 5.02, Nullsoft Winamp: 5.05, Nullsoft Winamp: 5.07, Nullsoft Winamp: 5.09, Nullsoft Winamp: 5.091, Nullsoft Winamp: 5.12, Nullsoft Winamp: 5.11, Nullsoft Winamp: 5.094, Nullsoft Winamp: 5.24, Nullsoft Winamp: 5.33, Nullsoft Winamp: 5.3, Nullsoft Winamp: 5.35, Nullsoft Winamp: 5.32, Nullsoft Winamp: 5.21, Nullsoft Winamp: 5.5, Nullsoft Winamp: 5.51, Nullsoft Winamp: 5.0, Nullsoft Winamp: 5.01, Nullsoft Winamp: 5.03, Nullsoft Winamp: 5.04, Nullsoft Winamp: 5.06, Nullsoft Winamp: 5.093, Nullsoft Winamp: 5.1, Nullsoft Winamp: 5.111, Nullsoft Winamp: 5.112, Nullsoft Winamp: 5.13, Nullsoft Winamp: 5.2, Nullsoft Winamp: 5.22, Nullsoft Winamp: 5.23, Nullsoft Winamp: 2.0, Nullsoft Winamp: 2.24, Nullsoft Winamp: 2.4, Nullsoft Winamp: 2.50, Nullsoft Winamp: 2.60, Nullsoft Winamp: 2.61, Nullsoft Winamp: 2.62, Nullsoft Winamp: 2.64, Nullsoft Winamp: 2.65, Nullsoft Winamp: 2.70, Nullsoft Winamp: 2.71, Nullsoft Winamp: 2.72, Nullsoft Winamp: 2.73, Nullsoft Winamp: 2.74, Nullsoft Winamp: 2.75, Nullsoft Winamp: 2.90, Nullsoft Winamp: 2.95, Nullsoft Winamp: 3.1, Nullsoft Winamp: 5.0.1, Nullsoft Winamp: 5.0.2, Nullsoft Winamp: 5.08, Nullsoft Winamp: 5.31, Nullsoft Winamp: 5.34, Nullsoft Winamp: 5.36, Nullsoft Winamp: 5.52, Nullsoft Winamp: 5.53, Nullsoft Winamp: 5.54, Nullsoft Winamp: 5.541, Nullsoft Winamp: 2.5E, Nullsoft Winamp: 2.60 Full, Nullsoft Winamp: 2.60 Lite, Nullsoft Winamp: 2.62 Standard, Nullsoft Winamp: 2.64 Standard, Nullsoft Winamp: 2.70 Full, Nullsoft Winamp: 2.6X, Nullsoft Winamp: 2.61 Full, Nullsoft Winamp: 2.7X, Nullsoft Winamp: 2.73 Full, Nullsoft Winamp: 5.08e, Nullsoft Winamp: 5.08d, Nullsoft Winamp: 5.08c, Nullsoft Winamp: 5.03a

Type

Unauthorized Access Attempt

Vulnerability description

Winamp is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling AIFF and MP3 files. By persuading a user to open a specially-crafted AIFF or MP3 file, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges, or cause the application to crash.

How to remove this vulnerability

Upgrade to the latest version of Winamp (5.55 or later), available from the Winamp Web site. See References.

References

milw0rm.com [2009-01-12]
Winamp <= 5.541 (mp3/aiff) Multiple Denial of Service Exploits
http://milw0rm.com/exploits/7742

Winamp Web site
Winamp Media Player - MP3, Multimedia, and Music Player
http://www.winamp.com/

Winamp Web site
Winamp Media Player Version History, Winamp 5.55 (Latest)
http://www.winamp.com/player/version-history

ISS X-Force
Winamp AIFF and MP3 file buffer overflow
http://www.iss.net/security_center/static/47911.php

CVE
CVE-2009-0263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0263