Vulnerabilities > CVE-2011-3834 - Numeric Errors vulnerability in Nullsoft Winamp

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

nullsoft

CWE-189

nessus

NVD

Published: 2011-12-16

Updated: 2017-09-19

Summary

Multiple integer overflows in the in_avi.dll plugin in Winamp before 5.623 allow remote attackers to execute arbitrary code via an AVI file with a crafted value for (1) the number of streams or (2) the size of the RIFF INFO chunk, leading to a heap-based buffer overflow.

Vulnerable Configurations

Part	Description	Count
Application	Nullsoft Nullsoft Winamp 5.57 Nullsoft Winamp 5.093 Nullsoft Winamp 5.552 Nullsoft Winamp 5.24 Nullsoft Winamp 5.111 Nullsoft Winamp 0.92 Nullsoft Winamp 5.09 Nullsoft Winamp 2.6 Nullsoft Winamp 2.9 Nullsoft Winamp 5.31 Nullsoft Winamp 5.05 Nullsoft Winamp 5.23 Nullsoft Winamp 0.20A Nullsoft Winamp 5.112 Nullsoft Winamp 5.02 Nullsoft Winamp 5.551 Nullsoft Winamp 5.01 Nullsoft Winamp 5.53 Nullsoft Winamp 5.531 Nullsoft Winamp 5.33 Nullsoft Winamp 5.54 Nullsoft Winamp 5.5 Nullsoft Winamp 5.34 Nullsoft Winamp 5.6 Nullsoft Winamp 5.12 Nullsoft Winamp 2.91 Nullsoft Winamp 5.21 Nullsoft Winamp 5.094 Nullsoft Winamp 5.572 Nullsoft Winamp 5.3 Nullsoft Winamp 5.55 Nullsoft Winamp 5.04 Nullsoft Winamp 5.32 Nullsoft Winamp 1.90 Nullsoft Winamp 5.58 Nullsoft Winamp 5.56 Nullsoft Winamp 5.08D Nullsoft Winamp 1.006 Nullsoft Winamp 2.0 Nullsoft Winamp 2.10 Nullsoft Winamp 2.92 Nullsoft Winamp 2.95 Nullsoft Winamp 5.0 Nullsoft Winamp 5.1 Nullsoft Winamp 5.2 Nullsoft Winamp 5.03 Nullsoft Winamp 5.06 Nullsoft Winamp 5.07 Nullsoft Winamp 5.08C Nullsoft Winamp 5.08E Nullsoft Winamp 5.11 Nullsoft Winamp 5.13 Nullsoft Winamp 5.22 Nullsoft Winamp 5.35 Nullsoft Winamp 5.36 Nullsoft Winamp 5.51 Nullsoft Winamp 5.52 Nullsoft Winamp 5.59 Nullsoft Winamp 5.61 Nullsoft Winamp 5.63 Nullsoft Winamp 5.091 Nullsoft Winamp 5.541 Nullsoft Winamp 5.581	66

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	Windows
NASL id	WINAMP_5623.NASL
description	The remote host is running Winamp, a media player for Windows. The version of Winamp installed on the remote host is earlier than 5.623 and thus is reportedly affected by the following integer overflow vulnerabilities : - An integer-overflow vulnerability exists in
last seen	2020-06-01
modified	2020-06-02
plugin id	57363
published	2011-12-21
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/57363
title	Winamp < 5.623 Multiple Integer Overflows
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57363); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2011-3834"); script_bugtraq_id(51015); script_name(english:"Winamp < 5.623 Multiple Integer Overflows"); script_summary(english:"Checks the version number of Winamp"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a multimedia application that is affected by multiple integer overflow vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running Winamp, a media player for Windows. The version of Winamp installed on the remote host is earlier than 5.623 and thus is reportedly affected by the following integer overflow vulnerabilities : - An integer-overflow vulnerability exists in 'in_avi.dll' when allocating memory using the number of stream headers. An attacker can trigger a heap overflow by enticing an unsuspecting user to open a specially crafted AVI file. - An integer-overflow vulnerability exists in 'in_avi.dll' when parsing the 'RIFF INFO' chunk included in an AVI file. An attacker can exploit this issue by enticing an unsuspecting victim to open a specially crafted AVI file. - An integer-overflow vulnerability exists in 'in_avi.dll' when parsing song message data included in an Impulse Tracker (IT) file. Successful exploits will allow arbitrary code to run in the context of the application. Failed attacks will cause denial of service conditions."); script_set_attribute(attribute:"solution", value:"Upgrade to Winamp 5.623 (5.6.2.3199) or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2011-81/"); script_set_attribute(attribute:"see_also", value:"http://forums.winamp.com/showthread.php?t=332010"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/09/12"); script_set_attribute(attribute:"patch_publication_date", value:"2011/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nullsoft:winamp"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("winamp_in_cdda_buffer_overflow.nasl"); script_require_keys("SMB/Winamp/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("SMB/Winamp/Version"); fixed_version = "5.6.2.3199"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (report_verbosity > 0) { path = get_kb_item("SMB/Winamp/Path"); if (isnull(path)) path = 'n/a'; report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "The Winamp " + version + " install on the host is not affected.");

Oval

accepted

2014-04-07T04:01:53.423-04:00

class

vulnerability

contributors

name Shane Shaffer
organization G2, Inc.
name Shane Shaffer
organization G2, Inc.
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment	Winamp is installed
oval	oval:org.mitre.oval:def:6897

description

family

windows

oval:org.mitre.oval:def:14981

status

accepted

submitted

2012-07-20T09:18:28.692-04:00

title

Multiple integer overflows in the in_avi.dll plugin in Winamp before 5.623

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 51015 CVE ID: CVE-2011-3834,CVE-2011-4857 Winamp是流行的通用音乐播放器。 Winamp在实现上存在多个整数溢出漏洞，攻击者可利用这些漏洞执行任意代码。 1）当使用流标头分配内存时，in_avi.dll插件中的整数溢出错误可通过特制的AVI文件导致堆缓冲区溢出。 2）在使用RIFF INFO块尺寸值分配内存时，in_avi.dll插件中的整数溢出错误可通过特制的AVI文件导致堆缓冲区溢出。 0 Nullsoft Winamp 5.x 厂商补丁： Nullsoft -------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.winamp.com/
id	SSV:26102
last seen	2017-11-19
modified	2011-12-24
published	2011-12-24
reporter	Root
title	Winamp 5.x 多个整数溢出漏洞

bulletinFamily	exploit
description	Bugtraq ID: 51015 CVE ID：CVE-2011-3834 Winamp是一款流行的媒体播放器。 Winamp存在多个安全漏洞，允许攻击者以应用程序上下文执行任意代码。 -当使用流头字段数值分配内存时in_avi.dll插件存在整数溢出，通过特制的AVI文件可触发基于堆的缓冲区溢出。 -当使用RIFF INFO块大小值分配内存时in_avi.dll插件存在整数溢出，通过特制的AVI文件可触发基于堆的缓冲区溢出。 -解析Impulse Tracker (IT)文件中歌曲消息数据时in_mod.dll插件存在错误，可被触发基于堆的缓冲区溢出 NullSoft Winamp 5.x 厂商解决方案 NullSoft Winamp 5.623已经修复此漏洞，建议用户下载使用： http://forums.winamp.com/showthread.php?t=332010
id	SSV:26049
last seen	2017-11-19
modified	2011-12-14
published	2011-12-14
reporter	Root
title	Winamp 5.x 整数溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Seebug

References