Vulnerability Note VU#986504

WinAmp playlist handling may allow a remote buffer overflow and arbitrary code execution

Original Release date: 21 Feb 2005 | Last revised: 21 Feb 2005

Overview

WinAmp contains a flaw which may allow a remote system compromise if a maliciously crafted playlist is loaded.

Description

Nullsoft's WinAmp is a multimedia system for Microsoft Windows. WinAmp allows users to create and use "playlists" to play their multimedia files in a customized order.

WinAmp versions previous to 5.08c contain a flaw in playlist handling code which may allow arbitrary code to be executed. In addition, WinAmp playlists may be loaded from remote locations on the Internet without user intervention, so this flaw may be exploited by a remote user.

This WinAmp flaw exposes a stack-based buffer overflow, which allows remote execution of arbitrary code. A playlist which contains a long device name or file number for some types of files (including .cda) may overflow the handler code in the IN_CDDA.dll plug-in and execute arbitrary code.

Also, the default configuration of Internet Explorer and WinAmp will open remote .pls and .m3u playlist files without prompting the user. Other web browsers (due to user settings or defaults) may also open these types of files automatically. As such, a standard HTML document can embed a playlist file to automatically load when the user follows a normal link to this malicious page. This creates a condition where it is possible to exploit the flaw by simply loading an innocuous-looking web page.

Impact

WinAmp may encounter a stack-based buffer overflow condition which would allow remote arbitrary code execution under the privileges of the user running WinAmp. This could lead to total system compromise and control by a malicious attacker.

Solution

Apply an update

This flaw has been corrected in WinAmp version 5.08c and later. Download and install the latest version from:

<http://www.winamp.com/player/>

Note: This flaw has been re-discovered in a series of the latest WinAmp releases. Should the flaw re-occur again, a recommended course of action until an update is developed is:

Do not open unknown .cda, .pls or .m3u files.
Do not open .cda, .pls or .m3u files automatically with WinAmp in your web browser.

Of course, these recommendations always apply to any unknown files and file types. It is also always advised for all users to ensure their browser settings prompt for the desired action (Save, Cancel, Open) with all file types that may load remote data, such as WinAmp .pls or .m3u playlist file types.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
NullsoftAffected28 Jan 200521 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Brett Moore for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2004-1119
  • Date Public: 23 Nov 2004
  • Date First Published: 21 Feb 2005
  • Date Last Updated: 21 Feb 2005
  • Severity Metric: 14.03
  • Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.