Nullsoft Winamp CAF Buffer Overflow
03/26/2020 
3 
9429
DESCRIPTION:
Nullsoft Winamp CAF Buffer Overflow
RESOLUTION:
Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009) https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=109
Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple's Core Audio Format (CAF) files.
The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:
offset size description
------- -------- ------------------------------------------------
0x0000 4 chunk type ('desc') 0x0004 8 chunk size (sizeof(data))
0x000c var data
The structure of the data field can be broken down as follows:
offset size description
------- -------- ------------------------------------------------
0x0000 8 sample rate
0x0008 4 format ID
0x000c 4 format flags
0x0010 4 bytes per packet
0x0014 4 frames per packet
0x0018 4 channels per frame
0x001c 4 bits per channel
An integer overflow vulnerability exists in Winamp's processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.
SonicWall has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:
- 5417 - Nullsoft Winamp CAF File Processing Integer Overflow PoC
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
