[Snort-sigs] PNG vulnerabilities and more

Joe Stewart jstewart at ...5...
Thu Aug 19 06:07:19 EDT 2004

On Wednesday 18 August 2004 5:03 pm, Joseph Gama wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"libPNG - Remotely exploitable stack-based buffer
> overrun in png_handle_tRNS";
> pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri";
> content:"tRNS"; byte_jump:4, -8, relative, big;
> pcre:"/([\s\S]){8}/R";
> pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R";
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2000000; rev:1;)

Can you explain why the rule above is preferable to the rule I submitted 
on August 5th for the same vuln:

libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; 
content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; 
flow:established,to_client; classtype:attempted-admin; 
reference:cve,CAN-2004-0597; sid:2001058; rev:2;)

If you've looked at the PNG spec and have found a condition where my 
rule would not fire but the exploit could still work, please let me 
know. Also, since you are not checking for the absence of the PLTE 
header (a necessary condition for the overflow to occur), is it 
possible yours could have false positives?


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list