Check Point Advisories

Nullsoft Winamp MIDI Timestamp Stack Buffer Overflow (CVE-2010-4370)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-046
Date Published:	24 Feb 2011
Severity:	High
Last Updated:	Thursday 24 February, 2011
Source:
Industry Reference:	CVE-2010-4370
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	Winamp is a popular multimedia player, produced by Nullsoft, which is capable of playing many formats of audio and video files. Winamp can play CD tracks, MP3 music files or MPEG video files, as well as numerous other formats. Among the audio files supported by Winamp are MIDI files and MUS files. A remote code execution vulnerability has been reported in Nullsoft Winamp. The vulnerability is due to a boundary error in the "in_midi" component in Nullsoft Winamp while handling timestamps in MIDI files. A remote attacker can exploit this issue by enticing the target user to open a specially crafted MIDI file. Successful exploitation of this vulnerability would lead to arbitrary code execution on a vulnerable system.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the Nullsoft Winamp MIDI Timestamp Stack Buffer Overflow protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Media Player Enforcement Violation.
Attack Information: Nullsoft Winamp MIDI Timestamp stack buffer overflow