JBells is a trojan embedded into malformed MP3 files. The trojan uses a
vulnerability in mpg123 which is a command-line MP3 player for Linux and
other *NIX systems. When the trojanized MP3 is played with a vulnerable
version of mpg123 a routine is started that deletes the current user's
home directory and it's content.
The latest development version of mpg123 (0.59s) was tested and found to
be vulnerable to this attack, while the latest stable version (0.59r)
is not vulnerable.
The original exploit code generates ready to distribute trojanized MP3s for
Suse 8.0 and Slackware 8.0 distributions.
Technical details
The exploit code generates an MP3 file with malformed header that
causes a buffer overflow in mpg123's header parsing code.
The malicious buffer is constructed so that it calls a command shell
with a one-line command that removes the user's home directory recursively.
Even though the original exploit contains settings for the distributions
mentioned above it is unfortunately easy to modify the exploit code to affect
other Linux distributions and versions as well. Because of this users of
vulnerable mpg123 versions are advised to change their mpg123 to a
non-vulnerable version, regardless of their distribution.
[Analysis: Gergely Erdelyi; F-Secure Corp.; January 15th, 2003]
![](/images/pixel.gif"){kind=tracking}
