In-Reply-To: <BAY101-F277D543B4547323CCB31D8A9BA0@xxxxxxx> Winamp 5.06 is also vulnerable and exploitable...thus this flaw is still unpatched. you can test it using this code : http://www.k-otik.com/exploits/20041124.winampm3u.c.php Regards K-OTik Security Research & Monitoring Team 24/7 http://www.k-otik.com >Dear Brett > >I've noticed that you say this is for version 5.05. Just looked at Winamp's >site, and they have a 5.06 version out. Is this one vunerable as well? > >Kind Regards > >Alex Cottle > > >>From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> >>Reply-To: <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> >>To: "Bugtraq@Securityfocus. Com" <bugtraq@xxxxxxxxxxxxxxxxx> >>Subject: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] >>Date: Wed, 24 Nov 2004 16:05:46 +1300 >> >>======================================================================== >>= Winamp - Buffer Overflow In IN_CDDA.dll >>= >>= Affected Software: >>= Winamp 5.05, 5.06 >>= >>= Public disclosure on November 24, 2004 >>======================================================================== >> >>== Overview == >> >>Hate to be the bearer of bad news. >> >>It appears that the 'patched' version 5.05 does NOT fix the buffer overflow >>issue that we notified Nullsoft about. This is obviously not good. >> >>As we wrote in our advisory we were notified by email that the issue had >>been fixed and an update posted to the website. >> >>We have sent Nullsoft a copy of this email, and hope that they can remedy >>this problem quickly. Unfortunately, this may not be the case as was >>pointed out to me by somebody. >> >>== Solutions == >> >>- Disassociate .cda and .m3u extensions from winamp >>- Wait for an update >> >>Brett Moore >>Network Intrusion Specialist, CTO >>Security-Assessment.com >> >> >>###################################################################### >>CONFIDENTIALITY NOTICE: >> >>This message and any attachment(s) are confidential and proprietary. >>They may also be privileged or otherwise protected from disclosure. If >>you are not the intended recipient, advise the sender and delete this >>message and any attachment from your system. If you are not the >>intended recipient, you are not authorised to use or copy this message >>or attachment or disclose the contents to any other person. Views >>expressed are not necessarily endorsed by Security-Assessment.com >>Limited. Please note that this communication does not designate an >>information system for the purposes of the New Zealand Electronic >>Transactions Act 2003. >>###################################################################### > > >
