cbcvebase.
CVE-2006-5567
published 2006-10-27

CVE-2006-5567: Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1)…

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.48%
96.0th percentile
Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags.

Affected

2 ranges
VendorProductVersion rangeFixed in
nullsoftwinamp
nullsoftwinamp

Detection & IOCsextracted from sources · hover to see the quote

otherUltravox-Max-Msg: <oversized_value>
otherContent-Type: misc/ultravox
otherServer: Ultravox 3.0
  • Detect exploitation attempts by monitoring HTTP responses containing both 'Content-Type: misc/ultravox' and an 'Ultravox-Max-Msg' header with an abnormally large integer value (e.g., near DWORD max such as 4294965247 or 1073739776), which triggers the heap overflow in WinAmp's Ultravox protocol handler.
  • CVE-2006-5567 affects AOL Nullsoft WinAmp versions before 5.31. Identify vulnerable hosts by detecting WinAmp versions < 5.31 in the environment.
  • ·The PoC exploit is a Denial of Service / crash proof-of-concept and does not include shellcode for arbitrary code execution; the NVD advisory notes the vulnerability is capable of arbitrary code execution with a fully weaponized payload.
  • ·The exploit requires user interaction — the victim must open a crafted stream URL in WinAmp pointing to the attacker-controlled server.
  • ·A second attack vector via Lyrics3 tags is mentioned but no technical details or IOCs are provided in the available sources.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.