Vulnerabilities > CVE-2015-1674 - 7PK - Security Features vulnerability in Microsoft products

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
microsoft
CWE-254
nessus
exploit available
NVD
Published: 2015-05-13
Updated: 2019-05-14

Summary

The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate an unspecified address, which allows local users to bypass the KASLR protection mechanism, and consequently discover the cng.sys base address, via a crafted application, aka "Windows Kernel Security Feature Bypass Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
6

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionWindows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052). CVE-2015-1674. Local exploit for windows platform
fileexploits/windows/local/37052.c
idEDB-ID:37052
last seen2016-02-04
modified2015-05-18
platformwindows
port
published2015-05-18
reporter4B5F5F4B
sourcehttps://www.exploit-db.com/download/37052/
titleWindows - CNG.SYS Kernel Security Feature Bypass PoC MS15-052
typelocal

Msbulletin

bulletin_idMS15-052
bulletin_url
date2015-05-12T00:00:00
impactSecurity Feature Bypass
knowledgebase_id3050514
knowledgebase_url
severityImportant
titleVulnerability in Windows Kernel Could Allow Security Feature Bypass

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-052.NASL
descriptionThe remote Windows host is affected by a security feature bypass vulnerability due to a failure to properly validate memory addresses by the Windows kernel. A remote attacker can exploit this flaw, via a specially crafted application, to bypass the Kernel Address Space Layout Randomization (KASLR), resulting in the disclosure of the base address of the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys).
last seen2020-06-01
modified2020-06-02
plugin id83361
published2015-05-12
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/83361
titleMS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514)
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(83361);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-1674");
  script_bugtraq_id(74488);
  script_xref(name:"MSFT", value:"MS15-052");
  script_xref(name:"MSKB", value:"3050514");

  script_name(english:"MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514)");
  script_summary(english:"Checks the version of cng.sys.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a security feature bypass
vulnerability due to a failure to properly validate memory addresses
by the Windows kernel. A remote attacker can exploit this flaw, via a
specially crafted application, to bypass the Kernel Address Space
Layout Randomization (KASLR), resulting in the disclosure of the base
address of the Cryptography Next Generation (CNG) kernel-mode driver
(cng.sys).");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-052");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 8, 2012, 8.1, and
2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1674");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/05/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-052';
kb  = "3050514";
kbs = make_list(kb);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"cng.sys", version:"6.3.9600.17785", min_version:"6.3.9600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"cng.sys", version:"6.2.9200.21456", min_version:"6.2.9200.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"cng.sys", version:"6.2.9200.17343", min_version:"6.2.9200.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

References