CVE-2004-1896

Vulnerability

A heap-based buffer overflow exists in the in_mod.dll module of Nullsoft Winamp versions 2.91 through 5.02 when parsing Fasttracker 2 (.xm) mod media files. The lack of boundary checking in the code responsible for loading .xm files allows an attacker to overwrite arbitrary heap memory, leading to an access violation within ntdll.RtlAllocateHeap() [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .xm file that triggers the heap overflow. The malicious file can be delivered remotely by embedding it in a specially crafted HTML document; simply rendering the HTML page in a browser that launches Winamp (or via a direct download) can trigger the exploit. No authentication is required, and the user only needs to open the file or visit the malicious page [1].

Impact

Successful exploitation allows an attacker to write arbitrary values to chosen memory locations, gaining control of Winamp's execution flow. This results in arbitrary code execution in the security context of the logged-on user. The attacker can achieve full compromise of the affected system, including data theft, installation of malware, or further lateral movement [1].

Mitigation

Nullsoft released Winamp 5.03 on 2004-04-12, which fixes this vulnerability. Users should upgrade to Winamp 5.03 or later. No workaround is available for earlier versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].