Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009)


Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple’s Core Audio Format (CAF) files.

The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  4        chunk type ('desc') 0x0004  8        chunk size (sizeof(data)) 0x000c  var      data

The structure of the data field can be broken down as follows:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  8        sample rate 0x0008  4        format ID 0x000c  4        format flags 0x0010  4        bytes per packet 0x0014  4        frames per packet 0x0018  4        channels per frame 0x001c  4        bits per channel

An integer overflow vulnerability exists in Winamp’s processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.

SonicWALL has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:

  • 5417 – Nullsoft Winamp CAF File Processing Integer Overflow PoC
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.