Winamp 2.91 uses a default plugin called IN_MIDI.DLL used to play MIDI files. The versions prior and equal to the 3.01 of this plugin let an attacker to execute code on a victim simply setting the "Track data size" value of a MIDI file to 0xffffffff.
An important thing (and also the only limit for the attacker) is that doesn't exist only one method to exploit this vulnerability because the effects change about how the user opens the file and what MIDI device he use:
drag'n'drop, normal file opening, midiOut and DirectMusic.
Then another note is that the code execution doesn't happen ever in the same moment that the file is opened or played, in fact it can happen after the second exception or when you close Winamp (also these effects depend by the 4 options before). Nullsoft is allready informed, a patch is not available yet.
Get more and detailed informations about the bug over here
An important thing (and also the only limit for the attacker) is that doesn't exist only one method to exploit this vulnerability because the effects change about how the user opens the file and what MIDI device he use:
drag'n'drop, normal file opening, midiOut and DirectMusic.
Then another note is that the code execution doesn't happen ever in the same moment that the file is opened or played, in fact it can happen after the second exception or when you close Winamp (also these effects depend by the 4 options before). Nullsoft is allready informed, a patch is not available yet.
Get more and detailed informations about the bug over here
