CVE-2015-2509
published 2015-09-09CVE-2015-2509: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code…
PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.04%
99.3th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted Media Center link (mcl) file, aka "Windows Media Center RCE Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted .mcl files containing UNC paths — the exploit works by embedding a UNC path inside a Media Center Link (.mcl) file to trigger automatic download and execution of a remote payload. ↗
- →Monitor for Windows Media Center (ehshell.exe or related processes) spawning unexpected child processes, particularly executables fetched from UNC/SMB paths. ↗
- →Alert on .mcl file creation or delivery via email/web, especially files referencing UNC (\\server\share) paths inside their content. ↗
- ·The vulnerability is user-assisted — the victim must open the crafted .mcl file, so delivery vector (phishing, malicious download) is a prerequisite for exploitation. ↗
- ·The Metasploit module targets Windows platforms only (Vista SP2, 7 SP1, Windows 8, 8.1) and requires the SRVHOST/UNC infrastructure to be reachable by the victim for payload delivery. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat4.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cvw5-r6p2-vxj5: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8
ghsa_unreviewed·2022-05-14
CVE-2015-2509 [HIGH] CWE-284 GHSA-cvw5-r6p2-vxj5: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted Media Center link (mcl) file, aka "Windows Media Center RCE Vulnerability."
Red Hat
kernel: btrfs: use latest_dev in btrfs_show_devname
vendor_redhat·2024-06-19·CVSS 4.7
CVE-2021-47599 [MEDIUM] CWE-362 kernel: btrfs: use latest_dev in btrfs_show_devname
kernel: btrfs: use latest_dev in btrfs_show_devname
In the Linux kernel, the following vulnerability has been resolved:
btrfs: use latest_dev in btrfs_show_devname
The test case btrfs/238 reports the warning below:
WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]
CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
btrfs_show_devname+0x108/0x1b4 [btrfs]
show_mountinfo+0x234/0x2c4
m_show+0x28/0x34
seq_read_iter+0x12c/0x3c4
vfs_read+0x29c/0x2c8
ksys_read+0x80/0xec
__arm64_sys_read+0x28/0x34
invoke_syscall+0x50/0xf8
do_el0_svc+0x88/0x138
el0_svc+0x2c/0x8c
el0t_64_sync_handler+0x84/0xe4
el0t_64_sync+0x198/0x19c
Reason:
While btrfs_prepare_sprout() moves the fs_device
No detection rules found.
Exploit-DB
Microsoft Windows Media Center - MCL (MS15-100) (Metasploit)
exploitdb·2015-09-15
CVE-2015-2509 Microsoft Windows Media Center - MCL (MS15-100) (Metasploit)
Microsoft Windows Media Center - MCL (MS15-100) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Windows Media Center. By supplying
an UNC path in the *.mcl file, a remote file will be automatically downloaded,
which can result in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r',
],
'References' =>
[
['CVE', '2015-2509'],
['MSB', 'MS15-100']
],
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'false'
},
'Platform' => 'win',
'Targets' =>
[
['Windows', {}],
],
Exploit-DB
Microsoft Windows Media Center - Command Execution (MS15-100)
exploitdb·2015-09-11
CVE-2015-2509 Microsoft Windows Media Center - Command Execution (MS15-100)
Microsoft Windows Media Center - Command Execution (MS15-100)
---
# Title: MS15-100 Windows Media Center Command Execution
# Date : 11/09/2015
# Author: R-73eN
# Software: Windows Media Center
# Tested : Windows 7 Ultimate
# CVE : 2015-2509
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
command = "calc.exe"
evil = ''
f = open("Music.mcl","w")
f.write(evil)
f.close()
print "\n[+] Music.mcl generated . . . [+]"
Metasploit
MS15-100 Microsoft Windows Media Center MCL Vulnerability
metasploit
MS15-100 Microsoft Windows Media Center MCL Vulnerability
MS15-100 Microsoft Windows Media Center MCL Vulnerability
This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.
Talos
Microsoft Patch Tuesday - September 2015
blogs_talos·2015-09-08·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - September 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated "Critical" this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated "Important" and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.
## Bulletins Rated CriticalMS15-094, MS15-095, MS15-097, MS-098, and MS15-099 are rated "Critical".
MS15-094 is this month's Internet Explorer security bulletin. Seventeen CVEs are addressed this month which affected Internet Explorer versions
Talos
Microsoft Patch Tuesday - September 2015
blogs_talos·2015-09-08·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - September 2015
## Microsoft Patch Tuesday - September 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated "Critical" this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated "Important" and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.
## Bulletins Rated Critical MS15-094, MS15-095, MS15-097, MS-098, and MS15-099 are rated "Critical".
MS15-094 is this month's Internet Explorer security bulletin. Seventeen CVEs are addressed this m
Krebs
Microsoft Pushes a Dozen Security Updates
blogs_krebs·2015-09-08·CVSS 9.3
[CRITICAL] Microsoft Pushes a Dozen Security Updates
Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.
According to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among o
Krebs
Microsoft Pushes a Dozen Security Updates – Krebs on Security
blogs_krebs·2015-09-01·CVSS 9.3
[CRITICAL] Microsoft Pushes a Dozen Security Updates – Krebs on Security
Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and f ive of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.
According to security firm Shavlik , the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge , Redmond’s flagship replacement browser for IE; both address this bug , amo
arXiv
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
arxiv_fulltext·2021-10-25
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
This work was supported by the National Natural Science Foundation of China (Grant No. 61802394 and 61902396) and the Youth Innovation Promotion Association. This work is also supported by the Program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences and Program of Beijing Key Laboratory of Network Security and Protection Technology.
comment
1st Xiaoyu Wang
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address or ORCID
2nd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address or ORCID
3rd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City,
http://www.rapid7.com/db/modules/exploit/windows/fileformat/ms15_100_mcl_exehttp://www.securityfocus.com/bid/76594http://www.securitytracker.com/id/1033499https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-100https://www.exploit-db.com/exploits/38151/https://www.exploit-db.com/exploits/38195/http://www.rapid7.com/db/modules/exploit/windows/fileformat/ms15_100_mcl_exehttp://www.securityfocus.com/bid/76594http://www.securitytracker.com/id/1033499https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-100https://www.exploit-db.com/exploits/38151/https://www.exploit-db.com/exploits/38195/
2015-09-09
Published