Vulnerabilities > CVE-2015-1701 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus
exploit available
metasploit

Summary

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Exploit-Db

  • descriptionWindows ClientCopyImage Win32k Exploit. CVE-2015-1701. Local exploit for windows platform
    fileexploits/windows/local/37367.rb
    idEDB-ID:37367
    last seen2016-02-04
    modified2015-06-24
    platformwindows
    port
    published2015-06-24
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/37367/
    titleWindows ClientCopyImage Win32k Exploit
    typelocal
  • descriptionMicrosoft Windows - Local Privilege Escalation (MS15-051). CVE-2015-1676,CVE-2015-1677,CVE-2015-1678,CVE-2015-1679,CVE-2015-1680,CVE-2015-1701. Local exploit...
    fileexploits/windows/local/37049.txt
    idEDB-ID:37049
    last seen2016-02-04
    modified2015-05-18
    platformwindows
    port
    published2015-05-18
    reporterhfiref0x
    sourcehttps://www.exploit-db.com/download/37049/
    titleMicrosoft Windows - Local Privilege Escalation MS15-051
    typelocal

Metasploit

descriptionThis module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
idMSF:EXPLOIT/WINDOWS/LOCAL/MS15_051_CLIENT_COPY_IMAGE
last seen2020-05-11
modified2018-10-28
published2015-06-03
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms15_051_client_copy_image.rb
titleWindows ClientCopyImage Win32k Exploit

Msbulletin

bulletin_idMS15-051
bulletin_url
date2015-05-12T00:00:00
impactElevation of Privilege
knowledgebase_id3057191
knowledgebase_url
severityImportant
titleVulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-051.NASL
descriptionThe version of Windows running on the remote host is affected by multiple vulnerabilities : - Multiple information disclosure vulnerabilities exist due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this to reveal private address information during a function call, resulting in the disclosure of kernel memory contents. (CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680) - A privilege escalation vulnerability exists due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this flaw, via a specially crafted application, to execute arbitrary code in kernel mode. This vulnerability is reportedly being exploited in the wild. (CVE-2015-1701)
last seen2020-06-01
modified2020-06-02
plugin id83370
published2015-05-12
reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/83370
titleMS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83370);
  script_version("1.13");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id(
    "CVE-2015-1676",
    "CVE-2015-1677",
    "CVE-2015-1678",
    "CVE-2015-1679",
    "CVE-2015-1680",
    "CVE-2015-1701"
  );
  script_bugtraq_id(
    74245,
    74483,
    74494,
    74495,
    74496,
    74497
  );
  script_xref(name:"MSFT", value:"MS15-051");
  script_xref(name:"MSKB", value:"3045171");
  script_xref(name:"MSKB", value:"3057191");
  script_xref(name:"MSKB", value:"3065979");
  script_xref(name:"IAVA", value:"2015-A-0108");

  script_name(english:"MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)");
  script_summary(english:"Checks the file version of Win32k.sys.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Windows running on the remote host is affected by
multiple vulnerabilities :

  - Multiple information disclosure vulnerabilities exist
    due to the Win32k.sys kernel-mode driver improperly
    handling objects in memory. A local attacker can exploit
    this to reveal private address information during a
    function call, resulting in the disclosure of kernel
    memory contents. (CVE-2015-1676, CVE-2015-1677,
    CVE-2015-1678, CVE-2015-1679, CVE-2015-1680)

  - A privilege escalation vulnerability exists due to the
    Win32k.sys kernel-mode driver improperly handling
    objects in memory. A local attacker can exploit this
    flaw, via a specially crafted application, to execute
    arbitrary code in kernel mode. This vulnerability is
    reportedly being exploited in the wild. (CVE-2015-1701)");
  # https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?37b0306c");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-051");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, Vista, 2008,
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Windows ClientCopyImage Win32k Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/05/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-051';
kb = '3045171';

kbs = make_list('3057191', kb, '3065979');
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
# Some of the 2k3 checks could flag XP 64, which is unsupported
if ("Windows XP" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17796", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21457", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17343", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.23038", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18834", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23680", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19372", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5615", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Packetstorm

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:93039
last seen2017-11-19
modified2017-04-25
published2017-04-25
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-93039
titleMS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)

The Hacker News

idTHN:675EE08758C0AD2D11F9BC33AB15EA32
last seen2018-01-27
modified2016-07-13
published2016-07-13
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2016/07/scada-malware-energy.html
titleState-Sponsored SCADA Malware targeting European Energy Companies