Vulnerabilities > CVE-2015-1701 - Unspecified vulnerability in Microsoft products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

microsoft

nessus

exploit available

metasploit

NVD

Published: 2015-04-21

Updated: 2024-07-16

Summary

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2003 Server R2 Microsoft Windows 2003 Server - Microsoft Windows Server 2008 - Microsoft Windows 7 - Microsoft Windows Vista -	5

Exploit-Db

description	Windows ClientCopyImage Win32k Exploit. CVE-2015-1701. Local exploit for windows platform
file	exploits/windows/local/37367.rb
id	EDB-ID:37367
last seen	2016-02-04
modified	2015-06-24
platform	windows
port
published	2015-06-24
reporter	metasploit
source	https://www.exploit-db.com/download/37367/
title	Windows ClientCopyImage Win32k Exploit
type	local

description	Microsoft Windows - Local Privilege Escalation (MS15-051). CVE-2015-1676,CVE-2015-1677,CVE-2015-1678,CVE-2015-1679,CVE-2015-1680,CVE-2015-1701. Local exploit...
file	exploits/windows/local/37049.txt
id	EDB-ID:37049
last seen	2016-02-04
modified	2015-05-18
platform	windows
port
published	2015-05-18
reporter	hfiref0x
source	https://www.exploit-db.com/download/37049/
title	Microsoft Windows - Local Privilege Escalation MS15-051
type	local

Metasploit

description	This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
id	MSF:EXPLOIT/WINDOWS/LOCAL/MS15_051_CLIENT_COPY_IMAGE
last seen	2020-05-11
modified	2018-10-28
published	2015-06-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701 https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html https://github.com/hfiref0x/CVE-2015-1701 https://technet.microsoft.com/library/security/MS15-051
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms15_051_client_copy_image.rb
title	Windows ClientCopyImage Win32k Exploit

Msbulletin

bulletin_id	MS15-051
bulletin_url
date	2015-05-12T00:00:00
impact	Elevation of Privilege
knowledgebase_id	3057191
knowledgebase_url
severity	Important
title	Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS15-051.NASL
description	The version of Windows running on the remote host is affected by multiple vulnerabilities : - Multiple information disclosure vulnerabilities exist due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this to reveal private address information during a function call, resulting in the disclosure of kernel memory contents. (CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680) - A privilege escalation vulnerability exists due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this flaw, via a specially crafted application, to execute arbitrary code in kernel mode. This vulnerability is reportedly being exploited in the wild. (CVE-2015-1701)
last seen	2020-06-01
modified	2020-06-02
plugin id	83370
published	2015-05-12
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83370
title	MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83370); script_version("1.13"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2015-1676", "CVE-2015-1677", "CVE-2015-1678", "CVE-2015-1679", "CVE-2015-1680", "CVE-2015-1701" ); script_bugtraq_id( 74245, 74483, 74494, 74495, 74496, 74497 ); script_xref(name:"MSFT", value:"MS15-051"); script_xref(name:"MSKB", value:"3045171"); script_xref(name:"MSKB", value:"3057191"); script_xref(name:"MSKB", value:"3065979"); script_xref(name:"IAVA", value:"2015-A-0108"); script_name(english:"MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)"); script_summary(english:"Checks the file version of Win32k.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Windows running on the remote host is affected by multiple vulnerabilities : - Multiple information disclosure vulnerabilities exist due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this to reveal private address information during a function call, resulting in the disclosure of kernel memory contents. (CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680) - A privilege escalation vulnerability exists due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this flaw, via a specially crafted application, to execute arbitrary code in kernel mode. This vulnerability is reportedly being exploited in the wild. (CVE-2015-1701)"); # https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?37b0306c"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-051"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows ClientCopyImage Win32k Exploit'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS15-051'; kb = '3045171'; kbs = make_list('3057191', kb, '3065979'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); # Some of the 2k3 checks could flag XP 64, which is unsupported if ("Windows XP" >< productname) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17796", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 8 / Windows Server 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21457", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17343", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.23038", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18834", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23680", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19372", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5615", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/157715/KL-001-2020-002.txt
id	PACKETSTORM:157715
last seen	2020-05-15
published	2020-05-14
reporter	Matthew Bergin
source	https://packetstormsecurity.com/files/157715/Cellebrite-UFED-7.5.0.845-Desktop-Escape-Privilege-Escalation.html
title	Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation

data source	https://packetstormsecurity.com/files/download/132403/ms15_051_client_copy_image.rb.txt
id	PACKETSTORM:132403
last seen	2016-12-05
published	2015-06-22
reporter	temp66
source	https://packetstormsecurity.com/files/132403/Microsoft-Windows-ClientCopyImage-Improper-Object-Handling.html
title	Microsoft Windows ClientCopyImage Improper Object Handling

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:93039
last seen	2017-11-19
modified	2017-04-25
published	2017-04-25
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-93039
title	MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)

The Hacker News

id	THN:675EE08758C0AD2D11F9BC33AB15EA32
last seen	2018-01-27
modified	2016-07-13
published	2016-07-13
reporter	Swati Khandelwal
source	https://thehackernews.com/2016/07/scada-malware-energy.html
title	State-Sponsored SCADA Malware targeting European Energy Companies

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Msbulletin

Nessus

Packetstorm

Seebug

The Hacker News

References