ID CVE-2015-1727 Type cve Reporter cve@mitre.org Modified 2019-05-14T20:26:00
Description
Buffer overflow in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Pool Buffer Overflow Vulnerability."
{"id": "CVE-2015-1727", "bulletinFamily": "NVD", "title": "CVE-2015-1727", "description": "Buffer overflow in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka \"Win32k Pool Buffer Overflow Vulnerability.\"", "published": "2015-06-10T01:59:00", "modified": "2019-05-14T20:26:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1727", "reporter": "cve@mitre.org", "references": ["http://www.securitytracker.com/id/1032525", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-061", "https://www.exploit-db.com/exploits/38268/"], "cvelist": ["CVE-2015-1727"], "type": "cve", "lastseen": "2021-02-02T06:21:22", "edition": 4, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-75008"]}, {"type": "exploitdb", "idList": ["EDB-ID:38268"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805582"]}, {"type": "nessus", "idList": ["SMB_NT_MS15-061.NASL"]}, {"type": "kaspersky", "idList": ["KLA10599"]}], "modified": "2021-02-02T06:21:22", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2021-02-02T06:21:22", "rev": 2}, "vulnersScore": 7.0}, "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2003:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "affectedSoftware": [{"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_rt", "name": "microsoft windows rt", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2003", "name": "microsoft windows server 2003", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2003", "name": "microsoft windows server 2003", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8", "name": "microsoft windows 8", "operator": "eq", "version": "-"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:r2:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"], "cwe": ["CWE-119"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2003:r2:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "1032525", "refsource": "SECTRACK", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1032525"}, {"name": "38268", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/38268/"}, {"name": "MS15-061", "refsource": "MS", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-061"}], "immutableFields": []}
{"symantec": [{"lastseen": "2018-03-14T22:41:51", "bulletinFamily": "software", "cvelist": ["CVE-2015-1727"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to gain elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-06-09T00:00:00", "published": "2015-06-09T00:00:00", "id": "SMNTC-75008", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75008", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2015-1727 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T07:41:59", "description": "Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061). CVE-2015-1727. Dos exploit for win32 platform", "published": "2015-09-22T00:00:00", "type": "exploitdb", "title": "Windows Kernel - Pool Buffer Overflow Drawing Caption Bar MS15-061", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1727"], "modified": "2015-09-22T00:00:00", "id": "EDB-ID:38268", "href": "https://www.exploit-db.com/exploits/38268/", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=321\r\n\r\nThe PoC triggers a crashes due to a pool buffer overflow while drawing the caption bar of window. The trigger depends on the current window layout and resolution. The PoC takes an offset on the command line to be able to test with different values, I tested this on two different Win7 32-bit VM's and had success with 0 and 475000 (Resolution was 1024x768 and 1280x1024). A bruteforce Python script is also attached which should trigger a crash fairly quickly.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38268.zip\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38268/"}], "openvas": [{"lastseen": "2020-06-10T19:51:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1720", "CVE-2015-1726", "CVE-2015-1723", "CVE-2015-1722", "CVE-2015-1719", "CVE-2015-1724", "CVE-2015-1768", "CVE-2015-1721", "CVE-2015-1725", "CVE-2015-1727", "CVE-2015-2360"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-061.", "modified": "2020-06-09T00:00:00", "published": "2015-06-10T00:00:00", "id": "OPENVAS:1361412562310805582", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805582", "type": "openvas", "title": "MS Windows Kernel-Mode Driver Privilege Elevation Vulnerabilities (3057839)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS Windows Kernel-Mode Driver Privilege Elevation Vulnerabilities (3057839)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805582\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-1719\", \"CVE-2015-1720\", \"CVE-2015-1721\", \"CVE-2015-1722\",\n \"CVE-2015-1723\", \"CVE-2015-1724\", \"CVE-2015-1725\", \"CVE-2015-1726\",\n \"CVE-2015-1727\", \"CVE-2015-1768\", \"CVE-2015-2360\");\n script_bugtraq_id(74999, 75000, 74998, 75005, 75009, 75010, 75006, 75012,\n 75008, 75024, 75025);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-06-10 08:00:55 +0530 (Wed, 10 Jun 2015)\");\n script_name(\"MS Windows Kernel-Mode Driver Privilege Elevation Vulnerabilities (3057839)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-061.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Improper handling of buffer elements by windows kernel-mode driver under\n certain conditions.\n\n - Improper freeing of an object in memory by windows kernel-mode driver.\n\n - Insufficient validation of certain data passed from user mode by the windows\n kernel-mode driver.\n\n - Windows kernel-mode driver when it accesses an object in memory that has\n either not been correctly initialized or deleted.\n\n - Windows kernel-mode driver when it improperly validates user input.\n\n - Windows kernel-mode driver 'Win32k.sys' fails to properly free memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass security, gain elevated privileges and execute arbitrary\n code on affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8 x32/x64\n\n - Microsoft Windows Server 2012/R2\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 2003 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3057839\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms15-061.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2003:3, win2003x64:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"5.2.3790.5640\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.19399\") ||\n version_in_range(version:dllVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23705\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.1.7601.18869\") ||\n version_in_range(version:dllVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.23071\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nif(hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.2.9200.17385\") ||\n version_in_range(version:dllVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.21495\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Win 8.1 and win2012R2\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.3.9600.17837\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-04-01T06:16:05", "description": "The remote Windows host is affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n buffer elements. A local attacker can exploit this\n vulnerability to request the contents of specific memory\n addresses. (CVE-2015-1719)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to a user-after-free\n error. A remote attacker can exploit this vulnerability\n by convincing a user to run a specially crafted\n application, resulting in the execution of arbitrary\n code in kernel mode. (CVE-2015-1720)\n\n - A elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to a NULL pointer\n dereference flaw. A remote attacker can exploit this\n vulnerability by convincing a user to run a specially\n crafted application, resulting in the execution of\n arbitrary code in kernel mode. (CVE-2015-1721)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit these\n vulnerabilities, with a specially crafted application,\n to escalate privileges to full administrative rights.\n (CVE-2015-1722, CVE-2015-1723, CVE-2015-1724,\n CVE-2015-1726)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improperly\n validated user-supplied input. A local attacker can\n exploit these vulnerabilities, with a specially crafted\n application, to escalate privileges to full\n administrative rights. (CVE-2015-1725, CVE-2015-1727)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due a failure to properly\n free memory. A local attacker can exploit these\n vulnerabilities, with a specially crafted application,\n to execute arbitrary code in the context of another\n user. (CVE-2015-1725, CVE-2015-1727)", "edition": 30, "published": "2015-06-09T00:00:00", "title": "MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1720", "CVE-2015-1726", "CVE-2015-1723", "CVE-2015-1722", "CVE-2015-1719", "CVE-2015-1724", "CVE-2015-1768", "CVE-2015-1721", "CVE-2015-1725", "CVE-2015-1727", "CVE-2015-2360"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS15-061.NASL", "href": "https://www.tenable.com/plugins/nessus/84059", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84059);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2015-1719\",\n \"CVE-2015-1720\",\n \"CVE-2015-1721\",\n \"CVE-2015-1722\",\n \"CVE-2015-1723\",\n \"CVE-2015-1724\",\n \"CVE-2015-1725\",\n \"CVE-2015-1726\",\n \"CVE-2015-1727\",\n \"CVE-2015-1768\",\n \"CVE-2015-2360\"\n );\n script_bugtraq_id(\n 74998,\n 74999,\n 75000,\n 75005,\n 75006,\n 75008,\n 75009,\n 75010,\n 75012,\n 75024,\n 75025\n );\n script_xref(name:\"MSFT\", value:\"MS15-061\");\n script_xref(name:\"MSKB\", value:\"3057839\");\n\n script_name(english:\"MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839)\");\n script_summary(english:\"Checks the file version of Win32k.sys.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n buffer elements. A local attacker can exploit this\n vulnerability to request the contents of specific memory\n addresses. (CVE-2015-1719)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to a user-after-free\n error. A remote attacker can exploit this vulnerability\n by convincing a user to run a specially crafted\n application, resulting in the execution of arbitrary\n code in kernel mode. (CVE-2015-1720)\n\n - A elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to a NULL pointer\n dereference flaw. A remote attacker can exploit this\n vulnerability by convincing a user to run a specially\n crafted application, resulting in the execution of\n arbitrary code in kernel mode. (CVE-2015-1721)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit these\n vulnerabilities, with a specially crafted application,\n to escalate privileges to full administrative rights.\n (CVE-2015-1722, CVE-2015-1723, CVE-2015-1724,\n CVE-2015-1726)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improperly\n validated user-supplied input. A local attacker can\n exploit these vulnerabilities, with a specially crafted\n application, to escalate privileges to full\n administrative rights. (CVE-2015-1725, CVE-2015-1727)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due a failure to properly\n free memory. A local attacker can exploit these\n vulnerabilities, with a specially crafted application,\n to execute arbitrary code in the context of another\n user. (CVE-2015-1725, CVE-2015-1727)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-061\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2003, Vista, 2008,\n7, 2008 R2, 8, 2012, 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-2360\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-061';\nkb = '3057839';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n# Some of the 2k3 checks could flag XP 64, which is unsupported\nif (\"Windows XP\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"Win32k.sys\", version:\"6.3.9600.17837\", min_version:\"6.3.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 8 / Windows Server 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"Win32k.sys\", version:\"6.2.9200.21496\", min_version:\"6.2.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"Win32k.sys\", version:\"6.2.9200.17385\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Win32k.sys\", version:\"6.1.7601.23072\", min_version:\"6.1.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Win32k.sys\", version:\"6.1.7601.18869\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Win32k.sys\", version:\"6.0.6002.23706\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Win32k.sys\", version:\"6.0.6002.19399\", min_version:\"6.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows Server 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Win32k.sys\", version:\"5.2.3790.5640\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:46:33", "bulletinFamily": "info", "cvelist": ["CVE-2015-1720", "CVE-2015-1726", "CVE-2015-1723", "CVE-2015-1757", "CVE-2015-1722", "CVE-2015-1719", "CVE-2015-1724", "CVE-2015-1768", "CVE-2015-1721", "CVE-2015-1725", "CVE-2015-1727", "CVE-2015-2360", "CVE-2015-1756", "CVE-2015-1758"], "description": "### *Detect date*:\n06/09/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nWindows Server 2003 x86, x64, Itanium Service Pack 2 \nWindows Server 2003 R2 x86, x64 Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, Itanium Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, Itanium Service Pack 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT \nWindows RT 8.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Microsoft advisory](<https://technet.microsoft.com/en-us/library/security/ms15-060>) \n[Microsoft advisory](<https://technet.microsoft.com/en-us/library/security/ms15-061>) \n[Microsoft advisory](<https://technet.microsoft.com/en-us/library/security/ms15-062>) \n[Microsoft advisory](<https://technet.microsoft.com/en-us/library/security/ms15-063>) \n[CVE-2015-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1725>) \n[CVE-2015-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1724>) \n[CVE-2015-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1727>) \n[CVE-2015-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1726>) \n[CVE-2015-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1723>) \n[CVE-2015-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1722>) \n[CVE-2015-2360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2360>) \n[CVE-2015-1768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1768>) \n[CVE-2015-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1721>) \n[CVE-2015-1720](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1720>) \n[CVE-2015-1758](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1758>) \n[CVE-2015-1757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1757>) \n[CVE-2015-1756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1756>) \n[CVE-2015-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1719>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2015-1725](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1725>)7.2High \n[CVE-2015-1724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1724>)7.2High \n[CVE-2015-1727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1727>)7.2High \n[CVE-2015-1726](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1726>)7.2High \n[CVE-2015-1723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1723>)7.2High \n[CVE-2015-1722](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1722>)7.2High \n[CVE-2015-2360](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2360>)7.2High \n[CVE-2015-1768](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1768>)7.2High \n[CVE-2015-1721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1721>)7.2High \n[CVE-2015-1720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1720>)7.2High \n[CVE-2015-1758](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1758>)6.9High \n[CVE-2015-1757](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1757>)4.3Warning \n[CVE-2015-1756](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1756>)9.3Critical \n[CVE-2015-1719](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1719>)2.1Warning\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3062577](<http://support.microsoft.com/kb/3062577>) \n[3059317](<http://support.microsoft.com/kb/3059317>) \n[3057839](<http://support.microsoft.com/kb/3057839>) \n[3063858](<http://support.microsoft.com/kb/3063858>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2015-06-09T00:00:00", "id": "KLA10599", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10599", "title": "\r KLA10599Multiple vulnerabilities in Microsoft Products ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}