CVE-2004-1119
published 2005-01-10CVE-2004-1119: Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a…
PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.26%
96.7th percentile
Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xB8\x75\xC1\xe4\x88\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68\x42\x6f\x6f\x6d\x54\x5a\x50\x50\x52\x50\x53\x51\xc3
- →Exploit .m3u files must NOT contain #EXTINF metadata lines; presence of #EXTINF prevents the vulnerable code path from being reached. Absence of #EXTINF in a .cda-referencing .m3u is a suspicious indicator. ↗
- →The exploit payload uses the string 'C:\1234567890ab' as stack padding followed by a 4-byte return address overwrite. Scan .m3u files for entries beginning with this padding pattern. ↗
- →The shellcode return address targets offset 0x1002355b within in_cdda.dll's .data section. Detection of EIP/return address values near 0x10023000–0x10024000 during Winamp crashes may indicate exploitation. ↗
- →The exploit file header begins with the literal string '#EXTM3U' followed by a malicious .cda entry. Combine this with NOP sled detection (long runs of 0x90 bytes) inside .m3u files for a high-confidence signature. ↗
- ·The hardcoded return address (0x1002355b) and shellcode MessageBoxA address (0x77D3b064) are specific to a single OS build (xpsp2.030429-213). Real-world exploits targeting other Windows versions would use different addresses. ↗
- ·The PoC was tested on Winamp 5.02 despite the advisory title referencing 5.06; the vulnerability also affects 5.05 per NVD. Detection rules should cover all Winamp 5.x versions up to and including 5.06. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-11/0369.htmlhttp://marc.info/?l=bugtraq&m=110123330404482&w=2http://marc.info/?l=bugtraq&m=110146036300803&w=2http://marc.info/?l=ntbugtraq&m=110126352412395&w=2http://marc.info/?l=ntbugtraq&m=110135574326217&w=2http://secunia.com/advisories/13269/http://www.kb.cert.org/vuls/id/986504http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdfhttp://www.securityfocus.com/bid/11730https://exchange.xforce.ibmcloud.com/vulnerabilities/18197http://archives.neohapsis.com/archives/bugtraq/2004-11/0369.htmlhttp://marc.info/?l=bugtraq&m=110123330404482&w=2http://marc.info/?l=bugtraq&m=110146036300803&w=2http://marc.info/?l=ntbugtraq&m=110126352412395&w=2http://marc.info/?l=ntbugtraq&m=110135574326217&w=2http://secunia.com/advisories/13269/http://www.kb.cert.org/vuls/id/986504http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdfhttp://www.securityfocus.com/bid/11730https://exchange.xforce.ibmcloud.com/vulnerabilities/18197
2005-01-10
Published