FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt

detects attempts to exploit a memory underflow vulnerability in RealNetworks RealPlayer when processing MPEG video files. The rule looks for specific content patterns in the TCP payload that may indicate an attempt to exploit the vulnerability.

ID Number

21112

Signature

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:21112; rev:15;)

MITRE ATT&CK Technique

"Exploit Public-Facing Application (T1190)" "Exploitation for Client Execution (T1203)" "Exploitation of Vulnerability (T1212)" "Data Destruction (T1485)" "Data from Local System (T1005)"

Severity

high

Recommendations/Investigative actions

Ensure that you are using the latest version of RealNetworks RealPlayer that includes security patches and updates. Keep the software up-to-date with the latest vendor-released patches.Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection, If there are internet IP's involved check if there are more alerts that this IP is involved, block the IP's in the FW and investigate the relevant IP address.

External Links