Vulnerabilities > CVE-2015-1635 - Code Injection vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 7 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
description Microsoft Window - HTTP.sys PoC (MS15-034). CVE-2015-1635. Dos exploit for windows platform file exploits/windows/dos/36773.c id EDB-ID:36773 last seen 2016-02-04 modified 2015-04-15 platform windows port published 2015-04-15 reporter rhcp011235 source https://www.exploit-db.com/download/36773/ title Microsoft Window - HTTP.sys PoC MS15-034 type dos description MS Windows (HTTP.sys) - HTTP Request Parsing DoS (MS15-034). CVE-2015-1635. Dos exploit for windows platform file exploits/windows/dos/36776.py id EDB-ID:36776 last seen 2016-02-04 modified 2015-04-16 platform windows port 80 published 2015-04-16 reporter laurent gaffie source https://www.exploit-db.com/download/36776/ title MS Windows HTTP.sys - HTTP Request Parsing DoS MS15-034 type dos
Metasploit
description This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service. id MSF:AUXILIARY/DOS/HTTP/MS15_034_ULONGLONGADD last seen 2019-11-22 modified 2019-03-05 published 2015-04-15 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb title MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service description This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable. Using a larger target file should result in more memory being dumped, and SSL seems to produce more data as well. id MSF:AUXILIARY/SCANNER/HTTP/MS15_034_HTTP_SYS_MEMORY_DUMP last seen 2020-01-25 modified 2018-11-21 published 2015-06-23 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
- http://pastebin.com/ypURDPc4
- https://github.com/rapid7/metasploit-framework/pull/5150
- https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection
- http://www.securitysift.com/an-analysis-of-ms15-034/
- http://securitysift.com/an-analysis-of-ms15-034/
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb title MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
Msbulletin
bulletin_id | MS15-034 |
bulletin_url | |
date | 2015-04-14T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 3042553 |
knowledgebase_url | |
severity | Critical |
title | Vulnerability in HTTP.sys Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS15-034.NASL description The version of Windows running on the remote host is affected a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 82771 published 2015-04-14 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82771 title MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82771); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2015-1635"); script_bugtraq_id(74013); script_xref(name:"MSFT", value:"MS15-034"); script_xref(name:"MSKB", value:"3042553"); script_xref(name:"IAVA", value:"2015-A-0092"); script_name(english:"MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)"); script_summary(english:"Checks the file version of HTTP.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a vulnerability in the HTTP protocol stack."); script_set_attribute(attribute:"description", value: "The version of Windows running on the remote host is affected a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS15-034'; kb = '3042553'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 / Windows Server 2012 R2 (Server Core installation) hotfix_is_vulnerable(os:"6.3", sp:0, file:"http.sys", version:"6.3.9600.17712", min_version:"6.3.9600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || # Windows 8 / Windows Server 2012 / Windows Server 2012 (Server Core installation) hotfix_is_vulnerable(os:"6.2", sp:0, file:"http.sys", version:"6.2.9200.21401", min_version:"6.2.9200.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", sp:0, file:"http.sys", version:"6.2.9200.17285", min_version:"6.2.9200.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"http.sys", version:"6.1.7601.22976", min_version:"6.1.7601.22000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"http.sys", version:"6.1.7601.18772", min_version:"6.1.7600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family Windows NASL id MS15-034.NASL description The version of Windows running on the remote host is affected by an integer overflow condition in the HTTP protocol stack (HTTP.sys) due to improper parsing of crafted HTTP requests. An unauthenticated, remote attacker can exploit this to execute arbitrary code with System privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 82828 published 2015-04-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82828 title MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82828); script_version("1.12"); script_cvs_date("Date: 2019/09/23 17:26:04"); script_cve_id("CVE-2015-1635"); script_bugtraq_id(74013); script_xref(name:"MSFT", value:"MS15-034"); script_xref(name:"IAVA", value:"2015-A-0092"); script_xref(name:"EDB-ID", value:"36773"); script_xref(name:"EDB-ID", value:"36776"); script_xref(name:"MSKB", value:"3042553"); script_name(english:"MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check)"); script_summary(english:"Checks response from HTTP.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a remote code execution vulnerability in the HTTP protocol stack."); script_set_attribute(attribute:"description", value: "The version of Windows running on the remote host is affected by an integer overflow condition in the HTTP protocol stack (HTTP.sys) due to improper parsing of crafted HTTP requests. An unauthenticated, remote attacker can exploit this to execute arbitrary code with System privileges."); # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c5d803b6"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1635"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www",80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); function possible_middlebox(port) { local_var banner, list, p; list = get_kb_list('Services/www'); if(list) { list = make_list(list); foreach p (list) { if (p == port) continue; banner = get_http_banner(port:p); if('BigIP' >< banner) return TRUE; } } return FALSE; } # Check OS os = get_kb_item("Host/OS"); if ("Microsoft Windows Server 2008 R2" >!< os && "Microsoft Windows Server 2012" >!< os && "Microsoft Windows 8" >!< os && "Microsoft Windows 7" >!< os) audit(AUDIT_OS_NOT,"Microsoft Windows 7 / 2008 R2 / 8 / 8.1 / 2012 / 2012 R2"); # Check for IIS only # WinRM and PowerShell Remoting don't seem to be vulnerable according to # https://twitter.com/Lee_Holmes/status/588464652708806656 port = get_http_port(default:80); banner = get_http_banner(port:port); if ("Microsoft-IIS" >!< banner) exit(0, "The web server listening on port " + port + " does not appear to be Microsoft IIS."); # # Skip testing if scanning through a 'middle box' # if (possible_middlebox(port:port)) { exit(0, "The remote host may be scanned through a 'middle box' which could produce unreliable scan results. Skipped testing the web server listening on port " + port + "."); } r = http_send_recv3(port: port, item: "/", method: "GET", add_headers: make_array("Range", "bytes=0-18446744073709551615")); if(isnull(r[0])) audit(AUDIT_RESP_NOT, port); if (r[0] =~ "^HTTP/[0-9.]+ +(416|302|301|307|200|401)") { # Paranoid due to potential FP when scanning through otherwise # undetectable loadbalancer. if (report_paranoia < 2) audit(AUDIT_PARANOID); extra = 'HTTP response status: ' + r[0]; security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra); } else if (r[0] =~ "^HTTP/[0-9.]+ +400") { audit(AUDIT_HOST_NOT, 'affected'); } else { exit(1, "Unexpected HTTP response status from remote port "+ port+ ": " + r[0]); }
Packetstorm
data source | https://packetstormsecurity.com/files/download/131463/ms15-034.txt |
id | PACKETSTORM:131463 |
last seen | 2016-12-05 |
published | 2015-04-16 |
reporter | rhcp011235 |
source | https://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html |
title | Microsoft Windows HTTP.sys Proof Of Concept |
Seebug
bulletinFamily | exploit |
description | <h4><strong></strong>一、漏洞概要<strong></strong></h4><p> </p><p>2015年04月14日,微软发布严重级别的安全公告 MS15-034,编号为 CVE-2015-1635,据称在 Http.sys 中的漏洞可能允许远程执行代码。</p><ul><li><strong> 漏洞描述</strong></li></ul><p>Http.sys 是一个位于 Windows 操作系统核心组件,能够让任何应用程序通过它提供的接口,以 Http 协议进行信息通讯。微软在 Windows 2003 Server 里引进了新的 HTTP API 和内核模式驱动 Http.sys,目的是使基于 Http 服务的程序更有效率。其实在 Windows XP 安装 SP2 后,Http.sys 已经出现在系统里了,但事实上操作系统并没有真的使用这个内核级驱动,而 XP 上自带的 IIS 5.1 也没有使用 HTTP API。</p><p>从曝出的 POC 来看,此漏洞是一个整数溢出类型的漏洞,微软安全公告称最大安全影响是远程执行代码。</p><ul><li><strong>漏洞影响</strong></li></ul><p>受影响版本:</p><p>IIS 7.0以上的Windows 7/8/8.1和Windows Server 2008 R2/Server 2012/Server 2012 R2等操作系统。</p><ul><li><strong>漏洞分析</strong></li></ul><p>根据补丁比较发现,POC 中提到的代码出现在 UlpParseRange 函数中修改的部分。</p><p>在未打补丁的 Http.sys 文件的 UlpParseRange 函数中,代码如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.171.jpg" alt="4.171" height="294" width="358"></p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.172.jpg" alt="4.172" height="35" width="536"></p><p>可以看到,在计算 64 位整数时直接进行了运算,没有进行必要的整数溢出检查。</p><p>而在打补丁的 Http.sys 文件的 UlpParseRange 函数中,修改代码如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.173.jpg" alt="4.173" height="284" width="340"></p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.174.jpg" alt="4.174" height="20" width="649"></p><p>用 RtlULongLongAdd 函数来计算 Range 范围长度 v18,这个函数中是做了整数溢出检查的。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.175.jpg" alt="4.175" height="323" width="792"></p><p>再看一下对 RtlULongLongAdd 函数的调用情况。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.176.jpg" alt="4.176" height="139" width="690"></p><p>在未打补丁的 Http.sys 文件中只有 1 处调用了 RtlULongLongAdd 函数。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.177.jpg" alt="4.177" height="333" width="393"></p><p>而在打补丁的 Http.sys 文件中总共有 13 处调用了 RtlULongLongAdd 函数进行整数溢出检查,说明有漏洞的系统中可能有多个处理流程会涉及到整数溢出造成的安全问题。</p><p>通过补丁比较确定了修改过的函数如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.178.jpg" alt="4.178" height="202" width="701"></p><p>经过分析发现,UlAdjustRangesToContentSize 函数中的整数溢出点,才是导致漏洞能发挥作用的关键流程。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.179.jpg" alt="4.179" height="295" width="452"></p><p> </p><p>这段代码还是采用了直接运算 64 位整数的方式,没有检查是否溢出,在补丁文件中替换为调用 RtlULongLongAdd 函数。</p><p>这部分代码的功能是判断获取文件偏移量的范围,是否会超过请求缓存文件的数据长度,如果超出就把读取长度 修改为合适的大小,防止越界访问数据。但是由于发生了整数溢出,使得判断越界的代码失效,这样就不会修改读取长度,造成用可控的长度值越界访问数据。</p><p>但是如果要成功利用此漏洞还需要一些必要的条件,具体细节有待进一步分析。</p><ul><li><strong>漏洞验证</strong></li></ul><p>可以使用 PoC 区域中 Python 程序对系统进行漏洞检测。</p><p>如果打印出“Looks VULN”,说明系统存在漏洞。</p><h4><strong></strong>二、ZoomEye 应急概要<strong></strong></h4><p> </p><p>知道创宇安全研究团队通过网络空间搜索引擎 ZoomEye 进行全网搜索,得出目前网络空间中可能受影响网站所使用 IIS 版本比例如下所示:</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE1.png" alt="4.16配图1" height="323" width="575"></p><p> </p><p>▲受威胁网站使用版本比例</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE2.png" alt="4.16配图2" height="509" width="672"></p><p>▲全国网站受 IIS 漏洞影响地域分布情况</p><p>另外,ZoomEye 搜索结果显示,全国受漏洞威胁的网站总数达 795,317 个,超过我国网站总数的五分之一,从区域分布来看,排在首位的北京地区共 276,39 个,对漏洞的修复工作刻不容缓。请网络管理员尽快打补丁修复,官方补丁下载地址:</p><ul><li><a href="https://support.microsoft.com/zh-cn/kb/3042553">https://support.microsoft.com/zh-cn/kb/3042553</a>。</li></ul><h4>三、修复建议</h4><p>通过 Windows 更新机制,选择 KB3042553 安全更新进行系统升级。</p><p>此漏洞在线验证地址:<a href="http://www.scanv.com/lab" target="_blank">http://www.scanv.com/lab</a></p><h4><strong></strong>四、相关资源链接<strong></strong></h4><ul><li><a href="https://technet.microsoft.com/zh-cn/library/security/ms15-034">https://technet.microsoft.com/zh-cn/library/security/ms15-034</a></li></ul><p>应急报告下载:<a target="_blank" href="http://blog.knownsec.com/wp-content/uploads/2015/04/IIS%E7%B3%BB%E5%88%97Http.sys%E5%A4%84%E7%90%86Range%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E-%E5%BA%94%E6%80%A5%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8AV1-.pdf">IIS系列Http.sys处理Range整数溢出漏洞 应急分析报告V1</a><br></p> |
id | SSV:89233 |
last seen | 2017-11-19 |
modified | 2015-07-01 |
published | 2015-07-01 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-89233 |
title | IIS 系列 Http.sys 处理 Range 整数溢出漏洞 |
Related news
References
- http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html
- http://www.osvdb.org/120629
- http://www.osvdb.org/120629
- http://www.securityfocus.com/bid/74013
- http://www.securityfocus.com/bid/74013
- http://www.securitytracker.com/id/1032109
- http://www.securitytracker.com/id/1032109
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034
- https://www.exploit-db.com/exploits/36773/
- https://www.exploit-db.com/exploits/36773/
- https://www.exploit-db.com/exploits/36776/
- https://www.exploit-db.com/exploits/36776/