Rule Category

FILE-MULTIMEDIA -- Snort detected traffic targeting vulnerabilities in multimedia files (mp3, movies, wmv, etc.).

Alert Message

FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt

Rule Explanation

This event is generated when an MP3 file is detected containing ID3 metadata which exploits a vulnerability in WMVCore component of Windows. Impact: Arbitrary code execution in the context of the current user Details: Ease of Attack: Simple

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2009-2499
Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and Microsoft Media Foundation on Windows Vista Gold, SP1, and SP2 and Server 2008; allows remote attackers to execute arbitrary code via an MP3 file with crafted metadata that triggers memory corruption, aka "Windows Media Playback Memory Corruption Vulnerability."
Details
SeverityHIGH Base Score8.5
Impact Score10.0 Exploit Score6.8
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationSINGLE Ease of Access