Windows Media Center Information Disclosure Vulnerability CVE-2015-6127

January 22, 2016

Windows Media Center (WMC) is digital video recorder and media player created by Microsoft. WMC allows remote attackers to read arbitrary files via a crafted .mcl file, aka "Windows Media Center Information Disclosure Vulnerability"

.mcl file has a application tag that has run parameter. When this file is opened whatever is in the run parameter gets executed .For example if we create a simple .mcl which looks like this and click it calculator pops up.

The application element can also have a URL parameter. The url/file mentioned in this parameter would be rendered as html in WMC's embedded browser. So if the URL parameter points to itself (the same .mcl file), this file will be executed as html in WMC's embedded browser. An attacker can create a specially crafted .mcl file which reads information from the user's local system and send it to the attacker's website.

As shown in the code below the url parameter in the newSong.mcl file points to itself. When the user clicks the mcl file it will launch
and the script in the mcl file will upload the "calc.exe" file to attacker's website.

Due to this vulnerability (CVE-2015-6127) the attacker can disclose information or steal documents from victim's computer.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 11327 : Windows Media Center Information Disclosure (MS15-134)