Windows Media Center Information Disclosure Vulnerability CVE-2015-6127 (Jan 22, 2016)


Windows Media Center (WMC) is digital video recorder and media player created by Microsoft. WMC allows remote attackers to read arbitrary files via a crafted .mcl file, aka “Windows Media Center Information Disclosure Vulnerability”

.mcl file has a application tag that has run parameter. When this file is opened whatever is in the run parameter gets executed .For example if we create a simple .mcl which looks like this and click it calculator pops up.

The application element can also have a URL parameter. The url/file mentioned in this parameter would be rendered as html in WMC’s embedded browser. So if the URL parameter points to itself (the same .mcl file), this file will be executed as html in WMC’s embedded browser. An attacker can create a specially crafted .mcl file which reads information from the user’s local system and send it to the attacker’s website.

As shown in the code below the url parameter in the newSong.mcl file points to itself. When the user clicks the mcl file it will launch
and the script in the mcl file will upload the “calc.exe” file to attacker’s website.

Due to this vulnerability (CVE-2015-6127) the attacker can disclose information or steal documents from victim’s computer.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 11327 : Windows Media Center Information Disclosure (MS15-134)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.