Signature Detail

HTTP: WinAmp AutoUpdate Buffer Overflow

This signature detects attempts to exploit a known vulnerability in WinAmp. Winamp 2.80a and earlier are vulnerabile. By default, WinAmp automatically contacts www.winamp.com for update information upon startup. Attackers can operate a malicious server that sends an extremely long response to a client's WinAmp update request, causing a buffer overflow.

Extended Description

Nullsoft Winamp is a media player for Microsoft Windows supporting MP3 and other filetypes. Winamp is vulnerable to a buffer overflow condition when checking for updated versions. A malicious server located at www.winamp.com may return a malicious response. Exploitation may result in the execution of arbitrary code as the Winamp process. It may be possible to exploit this vulnerability if an attacker can control the resolution of the www.winamp.com domain, possibly through DNS cache poisoning.

Affected Products

• NullSoft Winamp 2.50.0
• NullSoft Winamp 2.60.0 (full)
• NullSoft Winamp 2.60.0 (lite)
• NullSoft Winamp 2.61.0 (full)
• NullSoft Winamp 2.62.0 (standard)
• NullSoft Winamp 2.64.0 (standard)
• NullSoft Winamp 2.65.0
• NullSoft Winamp 2.70.0
• NullSoft Winamp 2.70.0 (full)
• NullSoft Winamp 2.71.0
• NullSoft Winamp 2.72.0
• NullSoft Winamp 2.73.0
• NullSoft Winamp 2.73.0 (full)
• NullSoft Winamp 2.74.0
• NullSoft Winamp 2.75.0
• NullSoft Winamp 2.76.0
• NullSoft Winamp 2.77.0
• NullSoft Winamp 2.78.0
• NullSoft Winamp 2.79.0
• NullSoft Winamp 2.80.0

References

• BugTraq: 5170
• URL: http://online.securityfocus.com/archive/1/280786