Vulnerabilities > CVE-2006-0476 - Remote Buffer Overflow vulnerability in Nullsoft Winamp 5.12

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
nullsoft
nessus
exploit available
metasploit
NVD
Published: 2006-01-31
Updated: 2018-10-19

Summary

Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).

Vulnerable Configurations

Part Description Count
Application
Nullsoft
1

Exploit-Db

  • descriptionWinamp Playlist UNC Path Computer Name Overflow. CVE-2006-0476. Local exploit for windows platform
    idEDB-ID:16531
    last seen2016-02-02
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16531/
    titleWinamp - Playlist UNC Path Computer Name Overflow
  • descriptionWinamp. CVE-2006-0476. Remote exploit for windows platform
    fileexploits/windows/remote/1458.cpp
    idEDB-ID:1458
    last seen2016-01-31
    modified2006-01-29
    platformwindows
    port
    published2006-01-29
    reporterATmaCA
    sourcehttps://www.exploit-db.com/download/1458/
    titleWinamp <= 5.12 - .pls Remote Buffer Overflow Exploit 0Day
    typeremote
  • idEDB-ID:3422

Metasploit

descriptionThis module exploits a vulnerability in the Winamp media player. This flaw is triggered when an audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12.
idMSF:EXPLOIT/WINDOWS/BROWSER/WINAMP_PLAYLIST_UNC
last seen2019-12-16
modified2017-09-14
published2006-04-30
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/winamp_playlist_unc.rb
titleWinamp Playlist UNC Path Computer Name Overflow

Nessus

NASL familyWindows
NASL idWINAMP_513.NASL
descriptionThe remote host is using Winamp, a popular media player for Windows. It
last seen2020-06-01
modified2020-06-02
plugin id20826
published2006-01-31
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20826
titleWinamp < 5.13 Playlist Handling Multiple Overflows
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20826);
  script_version("1.23");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id("CVE-2005-3188", "CVE-2006-0476");
  script_bugtraq_id(16410, 16462);

  script_name(english:"Winamp < 5.13 Playlist Handling Multiple Overflows");
  script_summary(english:"Checks for multiple buffer overflow vulnerabilities in Winamp < 5.13"); 
 
  script_set_attribute(attribute:"synopsis", value:
"A multimedia application that is vulnerable to multiple buffer
overflows is installed on the remote Windows host." );
  script_set_attribute(attribute:"description", value:
"The remote host is using Winamp, a popular media player for Windows. 

It's possible that a remote attacker using a specially crafted M3U or
PLS file can cause a buffer overflow in the version of Winamp
installed on the remote Windows host, resulting in a crash of the
application and even execution of arbitrary code remotely subject to
the user's privileges.  Note that these issues can reportedly be
exploited without user interaction by linking to a '.pls' file in an
IFRAME tag." );
  script_set_attribute(attribute:"see_also", value:"http://www.vupen.com/exploits/20060129.winamp0day.c.php" );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?215564e1" );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25ab0f36" );
  script_set_attribute(attribute:"see_also", value:"http://www.winamp.com/player/version-history" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to Winamp version 5.13 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Winamp Playlist UNC Path Computer Name Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/31");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/30");

  script_set_attribute(attribute:"plugin_type", value:"local");

  script_set_attribute(attribute:"cpe", value:"cpe:/a:nullsoft:winamp");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("winamp_in_cdda_buffer_overflow.nasl");
  script_require_keys("SMB/Winamp/Version");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("SMB/Winamp/Version");
if (version =~ "^([0-4]\.|5\.(0\.|1\.[0-2]([^0-9]|$)))")
{
  if (report_verbosity > 0)
  {
    fixed_version = '5.13';

    path = get_kb_item("SMB/Winamp/Path");
    if (isnull(path)) path = 'n/a';

    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_hole(get_kb_item("SMB/transport"));
  exit(0);
}
else exit(0, "The host is not affected since Winamp " + version + " is installed.");

Oval

accepted2009-11-09T04:00:03.860-05:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameMike Lah
    organizationThe MITRE Corporation
definition_extensions
commentWinamp is installed
ovaloval:org.mitre.oval:def:6897
descriptionBuffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).
familywindows
idoval:org.mitre.oval:def:1402
statusaccepted
submitted2006-02-01T08:59:00.000-04:00
titleWinamp Hostname Buffer Overflow
version5

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82961/winamp_playlist_unc.rb.txt
idPACKETSTORM:82961
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/82961/Winamp-Playlist-UNC-Path-Computer-Name-Overflow.html
titleWinamp Playlist UNC Path Computer Name Overflow

Saint

bid16410
descriptionWinamp playlist file buffer overflow
idmisc_winamp
osvdb22789
titlewinamp_playlist_file
typeclient

References