Published:2006/04/21  Last Updated:2008/05/21

JVN#74294680
Winny buffer overflow vulnerability

Overview

Winny, P2P file-sharing (exchange) software, contains a buffer overflow vulnerability.

Products Affected

  • Winny 2.0 b7.1 and earlier
As of May 25, 2006, exploit information is publicly available. Currently we are not aware of any attacks. It is recommended that users avoid using Winny.

Description

Impact

If a remote attacker sends a malicious packet, Winny will crash.
It is publicly reported that arbitrary code may be executed with the privilege running Winny.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
Isamu Kaneko Vulnerable 2006/04/21

References

  1. eEye Digital Security
    Winny Remote Buffer Overflow Vulnerability
  2. Sumisho Computer Systems Corporation
    http://www.scs.co.jp/eeye/advisories/AD20060421.html
  3. US-CERT Vulnerability Note VU#167033
    Winny contains a buffer overflow

JPCERT/CC Addendum

Credit

Yuji Ukai of eEye Digital Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2006-2007
JVN iPedia JVNDB-2006-000614

Update History