Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS15-111.NASL
HistoryOct 13, 2015 - 12:00 a.m.

MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447)

2015-10-1300:00:00
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
34
JSON

The remote Windows host is affected by the following vulnerabilities :

  • Multiple elevation of privilege vulnerabilities exist in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit these vulnerabilities, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2015-2549, CVE-2015-2550, CVE-2015-2554)

  • A security feature bypass vulnerability exists due to a failure to properly enforce the Windows Trusted Boot policy. A local attacker can exploit this, via a specially crafted Boot Configuration Data (BCD) setting, to disable code integrity checks, resulting in the execution of test-signed executables and drivers.
    Additionally, a local attacker can exploit this vulnerability to bypass Trusted Boot integrity validation for BitLocker and Device Encryption security features. (CVE-2015-2552)

  • An elevation of privilege vulnerability exists due to improper validation of junctions in certain scenarios in which mount points are being created. An unauthenticated, remote attacker can exploit this in conjunction with another vulnerability to execute arbitrary code in the context of the current user.
    (CVE-2015-2553)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(86373);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id(
    "CVE-2015-2549",
    "CVE-2015-2550",
    "CVE-2015-2552",
    "CVE-2015-2553",
    "CVE-2015-2554"
  );
  script_bugtraq_id(
    76994,
    76998,
    76999,
    77004,
    77014
  );
  script_xref(name:"MSFT", value:"MS15-111");
  script_xref(name:"MSKB", value:"3088195");
  script_xref(name:"MSKB", value:"3097617");
  script_xref(name:"IAVA", value:"2015-A-0242");

  script_name(english:"MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447)");
  script_summary(english:"Checks the version of Ntoskrnl.exe or Winload.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by the following
vulnerabilities :

  - Multiple elevation of privilege vulnerabilities exist in
    the Windows kernel due to improper handling of objects
    in memory. A local attacker can exploit these
    vulnerabilities, via a specially crafted application, to
    execute arbitrary code in kernel mode. (CVE-2015-2549,
    CVE-2015-2550, CVE-2015-2554)

  - A security feature bypass vulnerability exists due to a
    failure to properly enforce the Windows Trusted Boot
    policy. A local attacker can exploit this, via a
    specially crafted Boot Configuration Data (BCD) setting,
    to disable code integrity checks, resulting in the
    execution of test-signed executables and drivers.
    Additionally, a local attacker can exploit this
    vulnerability to bypass Trusted Boot integrity
    validation for BitLocker and Device Encryption security
    features. (CVE-2015-2552)

  - An elevation of privilege vulnerability exists due to
    improper validation of junctions in certain scenarios in
    which mount points are being created. An
    unauthenticated, remote attacker can exploit this in
    conjunction with another vulnerability to execute
    arbitrary code in the context of the current user.
    (CVE-2015-2553)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-111");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/3096447/ms15-111-security-update-for-windows-kernel-to-address-elevation-of-pr");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2554");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-111';

kb = "3088195";
kbs = make_list("3088195","3097617");

if (get_kb_item("Host/patch_management_checks"))
  hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10: '0') <= 0)
  audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 10
  hotfix_is_vulnerable(os:"10", file:"Ntoskrnl.exe", version:"10.0.10240.16545", dir:"\system32", bulletin:bulletin, kb:"3097617") ||
  # Windows 8.1 / 2012 R2
  hotfix_is_vulnerable(os:"6.3", file:"winload.exe", version:"6.3.9600.18066", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  # Windows 8 / 2012
  hotfix_is_vulnerable(os:"6.2", file:"Ntoskrnl.exe", version:"6.2.9200.21645", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", file:"Ntoskrnl.exe", version:"6.2.9200.17528", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  # Windows 7 / 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntoskrnl.exe", version:"6.1.7601.23223", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntoskrnl.exe", version:"6.1.7601.19018", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  # Vista / 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntoskrnl.exe", version:"6.0.6002.23813", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntoskrnl.exe", version:"6.0.6002.19503", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb)

)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

mskb 2
openvas 1
kaspersky 1
cve 5
symantec 5
exploitpack 3
prion 5
packetstorm 1
securityvulns 2
cvelist 5
zdt 1
exploitdb 3
mskb
mskb
MS15-111: Security Update for Windows Kernel to address elevation of privilege: October 13, 2015
2015-10-13 00:00:00
MS15-111: Description of the security update for Windows Kernel: October 13, 2015
2017-01-07 00:00:00
openvas
openvas
Microsoft Windows Privilege Elevation Vulnerabilities (3096447)
2015-10-14 00:00:00
kaspersky
kaspersky
KLA10674 Multiple vulnerabilities in Microsoft Windows
2015-10-12 00:00:00
cve
cve
CVE-2015-2552
2015-10-14 01:59:00
CVE-2015-2550
2015-10-14 01:59:00
CVE-2015-2553
2015-10-14 01:59:00
symantec
symantec
Microsoft Windows Trusted Boot CVE-2015-2552 Local Security Bypass Vulnerability
2015-10-13 00:00:00
Microsoft Windows Mount Point CVE-2015-2553 Local Privilege Escalation Vulnerability
2015-10-13 00:00:00
Microsoft Windows Kernel CVE-2015-2550 Local Privilege Escalation Vulnerability
2015-10-13 00:00:00
exploitpack
exploitpack
Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
2018-06-20 00:00:00
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
2016-01-25 00:00:00
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
2016-01-25 00:00:00
prion
prion
Security feature bypass
2015-10-14 01:59:00
Privilege escalation
2015-10-14 01:59:00
Privilege escalation
2015-10-14 01:59:00
packetstorm
packetstorm
Microsoft Trusted Boot Security Feature Bypass
2015-10-14 00:00:00
securityvulns
securityvulns
[CVE-2015-2552] Windows 8+ - Trusted Boot Security Feature Bypass Vulnerability
2015-10-25 00:00:00
Microsoft Windows multiple security vulnerabilities
2015-10-25 00:00:00
cvelist
cvelist
CVE-2015-2552
2015-10-14 01:00:00
CVE-2015-2550
2015-10-14 01:00:00
CVE-2015-2554
2015-10-14 01:00:00
zdt
zdt
Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)
2015-10-15 00:00:00
exploitdb
exploitdb
Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
2018-06-20 00:00:00
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
2016-01-25 00:00:00
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
2016-01-25 00:00:00
JSON
Related for SMB_NT_MS15-111.NASL
mskb2openvas1kaspersky1cve5symantec5exploitpack3prion5packetstorm1securityvulns2cvelist5zdt1exploitdb3