lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041127013634.22190.qmail@www.securityfocus.com>
Date: 27 Nov 2004 01:36:34 -0000
From: K-OTiK Security <Special-Alerts@...tik.com>
To: bugtraq@...urityfocus.com
Subject: Re: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]


In-Reply-To: <BAY101-F277D543B4547323CCB31D8A9BA0@....gbl>


Winamp 5.06 is also vulnerable and exploitable...thus this flaw is still unpatched.

you can test it using this code :
http://www.k-otik.com/exploits/20041124.winampm3u.c.php

Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com


>Dear Brett
>
>I've noticed that you say this is for version 5.05. Just looked at Winamp's 
>site, and they have a 5.06 version out. Is this one vunerable as well?
>
>Kind Regards
>
>Alex Cottle
>
>
>>From: "Brett Moore" <brett.moore@...urity-assessment.com>
>>Reply-To: <brett.moore@...urity-assessment.com>
>>To: "Bugtraq@...urityfocus. Com" <bugtraq@...urityfocus.com>
>>Subject: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
>>Date: Wed, 24 Nov 2004 16:05:46 +1300
>>
>>========================================================================
>>= Winamp - Buffer Overflow In IN_CDDA.dll
>>=
>>= Affected Software:
>>=       Winamp 5.05, 5.06
>>=
>>= Public disclosure on November 24, 2004
>>========================================================================
>>
>>== Overview ==
>>
>>Hate to be the bearer of bad news.
>>
>>It appears that the 'patched' version 5.05 does NOT fix the buffer overflow
>>issue that we notified Nullsoft about. This is obviously not good.
>>
>>As we wrote in our advisory we were notified by email that the issue had
>>been fixed and an update posted to the website.
>>
>>We have sent Nullsoft a copy of this email, and hope that they can remedy
>>this problem quickly. Unfortunately, this may not be the case as was
>>pointed out to me by somebody.
>>
>>== Solutions ==
>>
>>- Disassociate .cda and .m3u extensions from winamp
>>- Wait for an update
>>
>>Brett Moore
>>Network Intrusion Specialist, CTO
>>Security-Assessment.com
>>
>>
>>######################################################################
>>CONFIDENTIALITY NOTICE:
>>
>>This message and any attachment(s) are confidential and proprietary.
>>They may also be privileged or otherwise protected from disclosure. If
>>you are not the intended recipient, advise the sender and delete this
>>message and any attachment from your system. If you are not the
>>intended recipient, you are not authorised to use or copy this message
>>or attachment or disclose the contents to any other person. Views
>>expressed are not necessarily endorsed by Security-Assessment.com
>>Limited. Please note that this communication does not designate an
>>information system for the purposes of the New Zealand Electronic
>>Transactions Act 2003.
>>######################################################################
>
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ