CVE-2010-3138

Microsoft Windows XP SP3 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3138. PoCs published by LiquidWorm, Encrypt3d.M!nd.

AI-analyzed exploit summary This exploit demonstrates a DLL hijacking vulnerability in Media Player Classic 6.4.9.1 by providing a malicious iacenc.dll that executes arbitrary code when loaded via vulnerable file extensions (.mka, .ra, .ram). The PoC compiles into a DLL that displays a message box upon execution.

Description

Untrusted search path vulnerability in the Indeo Codec in iac25_32.ax in Microsoft Windows XP SP3 allows local users to gain privileges via a Trojan horse iacenc.dll file in the current working directory, as demonstrated by access through BS.Player or Media Player Classic to a directory that contains a .avi, .mka, .ra, or .ram file, aka "Indeo Codec Insecure Library Loading Vulnerability." NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WORKING POC VERIFIED
by LiquidWorm · clocalwindows
https://www.exploit-db.com/exploits/14788

This exploit demonstrates a DLL hijacking vulnerability in Media Player Classic 6.4.9.1 by providing a malicious iacenc.dll that executes arbitrary code when loaded via vulnerable file extensions (.mka, .ra, .ram). The PoC compiles into a DLL that displays a message box upon execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Media Player Classic 6.4.9.1
No auth needed
Prerequisites: Victim must open a malicious file (.mka, .ra, or .ram) in a directory containing the malicious iacenc.dll
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by Encrypt3d.M!nd · clocalwindows
https://www.exploit-db.com/exploits/14765

This exploit leverages DLL hijacking in MediaPlayer Classic 1.3.2189.0 by renaming a malicious DLL to 'iacenc.dll' and placing it in the same directory as an affected media file. The DLL exports a function that executes 'calc.exe' upon startup, demonstrating arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MediaPlayer Classic 1.3.2189.0
No auth needed
Prerequisites: Affected media file in the same directory as the malicious DLL · User interaction to open the media file
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (9)

Core 9
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-045A.html
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14765
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7132
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2190
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/67588
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14788
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41114

Scores

EPSS 0.2669
EPSS Percentile 97.8%

Details

Status published
Products (3)
bsplayer/bs.player
microsoft/windows_media_player
microsoft/windows_xp
Published Aug 27, 2010
Tracked Since Feb 18, 2026