Rule Category

FILE-MULTIMEDIA -- Snort detected traffic targeting vulnerabilities in multimedia files (mp3, movies, wmv, etc.).

Alert Message

FILE-MULTIMEDIA Microsoft Windows Media Foundation memory corruption attempt

Rule Explanation

The rule is looking for following hex bytes stream in a file. This hex bytes stream is observed in malicious WMF file with extension .ts which can exploit CVE-2020-16915 ``` 00 00 00 01 42 01 01 01 60 00 00 03 00 90 00 00 03 00 00 03 00 3F A0 05 02 01 69 65 95 9A 49 32 38 00 00 00 0F A4 00 01 D4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ```

What To Look For

The rule alerts on malicious WMF files with extension .ts that can exploit CVE-2020-16915

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: User Execution

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

Memory Corruption

Memory Corruption is any vulnerability that allows the modification of the content of memory locations in a way not intended by the developer. Memory corruption results are inconsistent; they could lead to fatal errors and system crashes or data leakage; some have no effect at all.

CVE Additional Information