Signature Detail

APP: WinAmp CDA Device Name Overflow

This signature detects malformed CDA URIs within an HTTP stream. Attackers can create a malicious play list that, when selected by a user, overflows a buffer allocated by WinAmp and enables an attacker to take control of the user's system.

Extended Description

A remote buffer overflow vulnerability affects the IN_CDDA.dll library of Nullsoft's Winamp. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers. It should be noted that this issue is not related to the issue outlined in BID 11730 (Nullsoft Winamp IN_CDDA.dll Remote Buffer Overflow Vulnerability). This issue will facilitate remote exploitation as an attacker may distribute malicious play-list files and entice unsuspecting users to process them with the affected application. It should be noted that this issue was originally reported in BID 12245 (Nullsoft Winamp Multiple Unspecified Vulnerabilities). It has been assigned a new BID due to the release of more information. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application.

Affected Products

• NullSoft Winamp 5.0.0 1
• NullSoft Winamp 5.0.0 2
• NullSoft Winamp 5.0.0 3
• NullSoft Winamp 5.0.0 4
• NullSoft Winamp 5.0.0 5
• NullSoft Winamp 5.0.0 6
• NullSoft Winamp 5.0.0 7
• NullSoft Winamp 5.0.0 8
• NullSoft Winamp 5.05
• NullSoft Winamp 5.06

References

• BugTraq: 12381
• CVE: CVE-2004-1150
• URL: http://marc.theaimsgroup.com/?l=bugtraq&m=110684140108614&w=2
• URL: http://www.nsfocus.com/english/homepage/research/0501.htm