CVE-2015-6127
published 2015-12-09CVE-2015-6127: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to read arbitrary files via a crafted…
PriorityP341medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
46.01%
98.7th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to read arbitrary files via a crafted .mcl file, aka "Windows Media Center Information Disclosure Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for MCL files whose 'url' parameter references the MCL file itself — this self-referential pattern is the core exploit trigger. ↗
- →Alert on ehexthost.exe spawning network connections or making outbound HTTP POST requests, which indicates file exfiltration via the exploit. ↗
- →Detect instantiation of the MSXML2.XMLHTTP ActiveX object from within ehexthost.exe context, particularly when followed by outbound POST requests — this is the exfiltration mechanism. ↗
- →Flag .mcl file opens where the embedded HTML/JS code performs XMLHttpRequest POST to external hosts — indicates active exfiltration of local files. ↗
- →Detect use of the Metasploit auxiliary module ms15_134_mcl_leak which serves a malicious MCL file; watch for 100% CPU on ehexthost.exe on patched systems as a behavioral indicator. ↗
- ·The exploit only works when ehexthost.exe does NOT opt into the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature; patching (MS15-134) addresses this but can cause 100% CPU if the exploit MCL is still opened. ↗
- ·The PoC requires the 'url' parameter value in the MCL file to exactly match the filename of the MCL file on disk for the self-rendering trick to work. ↗
- ·Exploitation requires the victim to manually open the malicious MCL file; it is not directly remotely exploitable without user interaction. ↗
- ·Confirmed vulnerable configuration requires Internet Explorer 11 to be installed on Windows 7 x64 SP1; other versions were not verified. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)
exploitdb·2015-12-09·CVSS 4.3
CVE-2015-6127 [MEDIUM] Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)
Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)
---
1. Advisory Information
Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release
2. Vulnerability Information
Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127
3. Vulnerability Description
The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a
Metasploit
MS15-134 Microsoft Windows Media Center MCL Information Disclosure
metasploit
MS15-134 Microsoft Windows Media Center MCL Information Disclosure
MS15-134 Microsoft Windows Media Center MCL Information Disclosure
This module exploits a vulnerability found in Windows Media Center. It allows an MCL file to render itself as an HTML document in the local machine zone by Internet Explorer, which can be used to leak files on the target machine. Please be aware that if this exploit is used against a patched Windows, it can cause the computer to be very slow or unresponsive (100% CPU). It seems to be related to how the exploit uses the URL attribute in order to render itself as an HTML file.
http://www.securityfocus.com/bid/78516http://www.securitytracker.com/id/1034335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-134https://www.exploit-db.com/exploits/38912/http://www.securityfocus.com/bid/78516http://www.securitytracker.com/id/1034335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-134https://www.exploit-db.com/exploits/38912/
2015-12-09
Published