[Snort-sigs] mpg123 overflow signature

Erik Walthinsen omega at ...1197...
Tue Jan 21 22:02:10 EST 2003

I looked into the message on bugtraq at
and found that it is indeed a potentially viable attack.  It tricks mpg123
into thinking that the mp3 frame is 2877 bytes long, yet mpg123 only has a
1920-byte buffer on its stack for walking through to the next frame.  The
result is that the 'rds' pointer is corrupted, and at common.c:243 it
calls a function pointer found by dereferencing that now bogus pointer.

The claims is made that anything can be done to the machine via this
mechanism, and I believe it.  They claim they can screw up quite a few
players, most of which are mpg123-derived.  The real question is whether a
MPEG "2.5" layer 2, 160Kbps, 8KHz stream is valid.  It certainly isn't for

I've never written a snort signature before, but here goes:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT mpg123
overflow"; flags A+; content: "|ff e5 ea 00 bf ff";
classtype:attempted-user rev:1;)

The first four bytes are a bogus mp3 frame header with the above
properties.  The second two bytes are the high word of a the overflow
addresses used in the two variants in the given code.  Replace those with
the four bytes '41 42 43 44' to detect the 'debug' variant.

The problem with this signature is that it could occur at any point in the
stream, which could itself occur on any port (think of all the p2p
variants).  It could trigger all kinds of false positives, and could very
very easily miss things entirely. ;-(

      Erik Walthinsen <omega at ...1197...> - System Administrator
       /  \                GStreamer - The only way to stream!
      |    | M E G A        ***** http://gstreamer.net/ *****
      _\  /_

More information about the Snort-sigs mailing list