Vulnerabilities > CVE-2004-0964 - Remote Buffer Overflow vulnerability in Zinf Malformed Playlist File

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
zinf
debian
critical
nessus
exploit available
metasploit
NVD
Published: 2005-02-09
Updated: 2017-07-11

Summary

Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file.

Vulnerable Configurations

Part Description Count
Application
Zinf
1
OS
Debian
11

Exploit-Db

  • descriptionZinf Audio Player 2.2.1 (.pls) Universal Seh Overwrite Exploit. CVE-2004-0964. Local exploit for windows platform
    idEDB-ID:8267
    last seen2016-02-01
    modified2009-03-23
    published2009-03-23
    reporterHis0k4
    sourcehttps://www.exploit-db.com/download/8267/
    titleZinf Audio Player 2.2.1 - .pls Universal Seh Overwrite Exploit
  • descriptionZinf Audio Player 2.2.1 (PLS File) Local Buffer Overflow Exploit (univ). CVE-2004-0964. Local exploit for windows platform
    idEDB-ID:7888
    last seen2016-02-01
    modified2009-01-28
    published2009-01-28
    reporterHoussamix
    sourcehttps://www.exploit-db.com/download/7888/
    titleZinf Audio Player 2.2.1 PLS File Local Buffer Overflow Exploit univ
  • descriptionZinf Audio Player 2.2.1 - (.pls) Buffer Overflow Vulnerability (DEP BYPASS). CVE-2004-0964. Local exploit for windows platform
    idEDB-ID:17600
    last seen2016-02-02
    modified2011-08-03
    published2011-08-03
    reporterC4SS!0 and h1ch4m
    sourcehttps://www.exploit-db.com/download/17600/
    titleZinf Audio Player 2.2.1 - .pls Buffer Overflow Vulnerability DEP BYPASS
  • descriptionZinf 2.2.1 Local Buffer Overflow Exploit. CVE-2004-0964. Local exploit for windows platform
    idEDB-ID:559
    last seen2016-01-31
    modified2004-09-28
    published2004-09-28
    reporterDelikon
    sourcehttps://www.exploit-db.com/download/559/
    titleZinf 2.2.1 - Local Buffer Overflow Exploit
  • descriptionZinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow. CVE-2004-0964. Local exploit for windows platform
    idEDB-ID:16688
    last seen2016-02-02
    modified2010-11-24
    published2010-11-24
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16688/
    titleZinf Audio Player 2.2.1 PLS File Stack Buffer Overflow
  • descriptionZinf Audio Player 2.2.1 (PLS File) Stack Overflow PoC. CVE-2004-0964. Dos exploit for windows platform
    idEDB-ID:7887
    last seen2016-02-01
    modified2009-01-27
    published2009-01-27
    reporterHakxer
    sourcehttps://www.exploit-db.com/download/7887/
    titleZinf Audio Player 2.2.1 PLS File Stack Overflow PoC

Metasploit

descriptionThis module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module.
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/ZINFAUDIOPLAYER221_PLS
last seen2020-01-12
modified2017-11-08
published2009-04-29
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0964
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb
titleZinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-587.NASL
descriptionLuigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf.
last seen2020-06-01
modified2020-06-02
plugin id15685
published2004-11-10
reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15685
titleDebian DSA-587-1 : freeamp - buffer overflow
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-587. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15685);
  script_version("1.19");
  script_cvs_date("Date: 2019/08/02 13:32:18");

  script_cve_id("CVE-2004-0964");
  script_xref(name:"DSA", value:"587");

  script_name(english:"Debian DSA-587-1 : freeamp - buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Luigi Auriemma discovered a buffer overflow condition in the playlist
module of freeamp which could lead to arbitrary code execution. Recent
versions of freeamp were renamed into zinf."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2004/dsa-587"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the freeamp packages.

For the stable distribution (woody) this problem has been fixed in
version 2.1.1.0-4woody2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freeamp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/10");
  script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"freeamp", reference:"2.1.1.0-4woody2")) flag++;
if (deb_check(release:"3.0", prefix:"freeamp-doc", reference:"2.1.1.0-4woody2")) flag++;
if (deb_check(release:"3.0", prefix:"freeamp-extras", reference:"2.1.1.0-4woody2")) flag++;
if (deb_check(release:"3.0", prefix:"libfreeamp-alsa", reference:"2.1.1.0-4woody2")) flag++;
if (deb_check(release:"3.0", prefix:"libfreeamp-esound", reference:"2.1.1.0-4woody2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83051/zinfaudioplayer221_pls.rb.txt
idPACKETSTORM:83051
last seen2016-12-05
published2009-11-26
reporterpatrick
sourcehttps://packetstormsecurity.com/files/83051/Zinf-Audio-Player-2.2.1-PLS-File-Stack-Overflow..html
titleZinf Audio Player 2.2.1 (PLS File) Stack Overflow.

References