SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009)



Description


Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple's Core Audio Format (CAF) files.

The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:

offset  size     description
------- -------- ------------------------------------------------
0x0000  4        chunk type ('desc')
0x0004  8        chunk size (sizeof(data))
0x000c  var      data

The structure of the data field can be broken down as follows:

offset  size     description
------- -------- ------------------------------------------------
0x0000  8        sample rate
0x0008  4        format ID
0x000c  4        format flags
0x0010  4        bytes per packet
0x0014  4        frames per packet
0x0018  4        channels per frame
0x001c  4        bits per channel

An integer overflow vulnerability exists in Winamp's processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.

SonicWALL has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:
  • 5417 - Nullsoft Winamp CAF File Processing Integer Overflow PoC



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.0 | S1MSW03