Microsoft Windows Media Center - '.MCL' File Processing Remote Code Execution (MS16-059)

2016-05-1200:00:00

Eduardo Braun Prado

www.exploit-db.com

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%

JSON

Exploit Title: Microsoft Windows Media Center .MCL File Processing Remote Code Execution Vulnerability (MS16-059)

Date: May 11th, 2016

Exploit Author: Eduardo Braun Prado

Vendor Homepage : http://www.microsoft.com

Version: All prior to May 10th, 2016 update.

Tested on: Windows Media Center running on Microsoft Windows  Vista, 2008, 7, 8, 8.1

CVE:  CVE-2016-0185

Microsoft Windows Media Center (all versions prior to May 11th, 2016) contains a remote code execution upon processing specially crafted .MCL files. The vulnerability exists because Windows Media Center does not correctly processes paths in the "Run" parameter of the "Application" tag, bypassing the usual security warning displayed upon trying to run programs residing on remote (WebDAV/SMB) shares. In order to bypass the Windows Media Center security warning an attacker only needs to write the prefix "file:///" before the actual remote location. For example : file:///\\192.168.10.10\share\app.exe. However, Windows will still display an "Open File" security warning for files placed in remote locations (Internet Security Zone of IE), which can also be bypassed using a special "Control Panel Shortcut" that points to a remote DLL/CPL file. Upon pointing to a shortcut located in a remote share it is possible to run arbitrary code in the context of the currently logged on user. Note: On 64 bits Windows OSes, a 64-bits DLL should be provided, but 32-bits DLL files should work as well. A PoC MCL file is provided, which points to a default Windows share, to retrieve a special "Control Panel Shortcut", that runs a CPL file from the same location (\\127.0.0.1\c$\programdata\cpl.lnk). Notice that although the address points to the "Localhost", Windows treats it the same way as any other IP based location, placing it in the context of the IE "Internet Security Zone" (default for non-local places). The PoC CPL file only runs "cmd.exe /c calc" for demonstration purposes. Another important note is that after this Microsoft patch (May, 2016), the special "Control Panel Shortcut" does *NOT* work anymore.

Link to PoC: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21201&cid=AFCB9116C8C0AAF4#id=AFCB9116C8C0AAF4%21319&cid=AFCB9116C8C0AAF4

file is: "MS-Windows-Media-Center-May-2016-RCE-POC--Password-is-mcl.zip"
Password: mcl

EDB PoC Mirror:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39805.zip

I am also attaching the file as "MS-Windows-Media-Center-May-2016-RCE-POC--Password-is-mcl[dot]zip.txt"  (extension is txt, but it is an actual .ZIP archive, so rename to ".ZIP" upon downloading it). Archive opens successfully on any Windows version.