CVE-2006-5567
published 2006-10-27CVE-2006-5567: Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1)…
PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.48%
96.0th percentile
Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullsoft | winamp | — | — |
| nullsoft | winamp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP responses containing both 'Content-Type: misc/ultravox' and an 'Ultravox-Max-Msg' header with an abnormally large integer value (e.g., near DWORD max such as 4294965247 or 1073739776), which triggers the heap overflow in WinAmp's Ultravox protocol handler. ↗
- →CVE-2006-5567 affects AOL Nullsoft WinAmp versions before 5.31. Identify vulnerable hosts by detecting WinAmp versions < 5.31 in the environment. ↗
- ·The PoC exploit is a Denial of Service / crash proof-of-concept and does not include shellcode for arbitrary code execution; the NVD advisory notes the vulnerability is capable of arbitrary code execution with a fully weaponized payload. ↗
- ·The exploit requires user interaction — the victim must open a crafted stream URL in WinAmp pointing to the attacker-controlled server. ↗
- ·A second attack vector via Lyrics3 tags is mentioned but no technical details or IOCs are provided in the available sources. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j9j2-89jg-g643: Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5
ghsa_unreviewed·2022-05-01
CVE-2006-5567 [HIGH] GHSA-j9j2-89jg-g643: Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5
Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags.
VulnCheck
nullsoft winamp Out-of-bounds Write
vulncheck·2006·CVSS 9.3
CVE-2006-5567 [CRITICAL] nullsoft winamp Out-of-bounds Write
nullsoft winamp Out-of-bounds Write
Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags.
Affected: nullsoft winamp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=431http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=432http://secunia.com/advisories/22580http://securitytracker.com/id?1017119http://securitytracker.com/id?1017120http://www.kb.cert.org/vuls/id/449092http://www.securityfocus.com/bid/20744http://www.vupen.com/english/advisories/2006/4196http://www.winamp.com/player/version_history.php#5.31https://exchange.xforce.ibmcloud.com/vulnerabilities/29804https://exchange.xforce.ibmcloud.com/vulnerabilities/29807https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15686http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=431http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=432http://secunia.com/advisories/22580http://securitytracker.com/id?1017119http://securitytracker.com/id?1017120http://www.kb.cert.org/vuls/id/449092http://www.securityfocus.com/bid/20744http://www.vupen.com/english/advisories/2006/4196http://www.winamp.com/player/version_history.php#5.31https://exchange.xforce.ibmcloud.com/vulnerabilities/29804https://exchange.xforce.ibmcloud.com/vulnerabilities/29807https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15686
2006-10-27
Published
Exploited in the wild