Vulnerabilities > CVE-2016-0040 - Unspecified vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus
exploit available
metasploit

Summary

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Exploit-Db

descriptionMicrosoft Windows WMI - Recieve Notification Exploit (Metasploit). CVE-2016-0040. Local exploit for Windows_x86-64 platform. Tags: Metasploit Framework (MSF)
fileexploits/windows_x86-64/local/44586.rb
idEDB-ID:44586
last seen2018-05-24
modified2018-05-04
platformwindows_x86-64
port
published2018-05-04
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44586/
titleMicrosoft Windows WMI - Recieve Notification Exploit (Metasploit)
typelocal

Metasploit

descriptionThis module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
idMSF:EXPLOIT/WINDOWS/LOCAL/MS16_014_WMI_RECV_NOTIF
last seen2020-06-02
modified2019-10-05
published2017-08-03
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb
titleWindows WMI Receive Notification Exploit

Msbulletin

bulletin_idMS16-014
bulletin_url
date2016-02-09T00:00:00
impactRemote Code Execution
knowledgebase_id3134228
knowledgebase_url
severityImportant
titleSecurity Update for Microsoft Windows to Address Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-014.NASL
descriptionThe remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a crafted application, to run arbitrary code in kernel mode and therefore take control of the affected system. (CVE-2016-0040) - Multiple code execution vulnerabilities exist due to improper validation of user-supplied input when loading DLL files. A local attacker can exploit these, via a specially crafted application, to execute arbitrary code. (CVE-2016-0041, CVE-2016-0042) - A denial of service vulnerability exists in Microsoft Sync Framework due to improper processing of crafted input that uses the
last seen2020-06-01
modified2020-06-02
plugin id88646
published2016-02-09
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/88646
titleMS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(88646);
  script_version("1.15");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id(
    "CVE-2016-0040",
    "CVE-2016-0041",
    "CVE-2016-0042",
    "CVE-2016-0044",
    "CVE-2016-0049"
  );
  script_bugtraq_id(
    82505,
    82510,
    82511,
    82515
  );
  script_xref(name:"MSFT", value:"MS16-014");
  script_xref(name:"MSKB", value:"3126041");
  script_xref(name:"MSKB", value:"3126587");
  script_xref(name:"MSKB", value:"3126593");
  script_xref(name:"MSKB", value:"3126434");
  script_xref(name:"MSKB", value:"3135174");
  script_xref(name:"MSKB", value:"3135173");
  script_xref(name:"IAVA", value:"2016-A-0050");

  script_name(english:"MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)");
  script_summary(english:"Checks the version of the DLL files.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update. It is,
therefore, affected by multiple vulnerabilities :

  - An elevation of privilege vulnerability exists in the
    Windows kernel due to improper handling of objects in
    memory. A local attacker can exploit this, via a crafted
    application, to run arbitrary code in kernel mode and
    therefore take control of the affected system.
    (CVE-2016-0040)

  - Multiple code execution vulnerabilities exist due to
    improper validation of user-supplied input when loading
    DLL files. A local attacker can exploit these, via a
    specially crafted application, to execute arbitrary
    code. (CVE-2016-0041, CVE-2016-0042)

  - A denial of service vulnerability exists in Microsoft
    Sync Framework due to improper processing of crafted
    input that uses the 'change batch' structure. An
    authenticated, remote attacker can exploit this, via
    specially crafted packets sent to the SyncShareSvc
    service, to cause the service to stop responding.
    (CVE-2016-0044)

  - A security feature bypass vulnerability exists when
    Kerberos fails to check the password change of a user
    signing into a workstation. An attacker can exploit
    this, by connecting the workstation to a malicious
    Kerberos Key distribution Center, to bypass Kerberos
    authentication on a target machine, thus allowing
    decryption of drives protected by BitLocker.
    (CVE-2016-0049)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-014");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0042");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Office OLE Multiple DLL Side Loading Vulnerabilities');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS16-014';
kbs = make_list(
    "3126041",
    "3126587",
    "3126593",
    "3126434",
    "3135174",
    "3135173"
);
vuln = 0;

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

# KB3126587
if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"cfgbkend.dll", version:"6.3.9600.18192", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||

  # Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"cfgbkend.dll", version:"6.2.9200.17623", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"cfgbkend.dll", version:"6.2.9200.21743", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||

  # Windows 7 / Windows Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"advapi32.dll", version:"6.1.7601.19135", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"advapi32.dll", version:"6.1.7601.23338", min_version:"6.1.7601.20000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||

  # Windows Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"advapi32.dll", version:"6.0.6002.19594", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3126587") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"advapi32.dll", version:"6.0.6002.23905", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:"3126587")
)
  vuln++;

# KB3126593
if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"ntoskrnl.exe", version:"6.3.9600.18192", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3126593")  ||
  # Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"ntoskrnl.exe", version:"6.2.9200.21743", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3126593") ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"ntoskrnl.exe", version:"6.2.9200.17623", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3126593") ||
  # Windows 7 / Windows Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"ntoskrnl.exe", version:"6.1.7601.23321", min_version:"6.1.7601.20000", dir:"\system32", bulletin:bulletin, kb:"3126593") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"ntoskrnl.exe", version:"6.1.7601.19117", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:"3126593") ||
  # Windows Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"ntoskrnl.exe", version:"6.0.6002.23890", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:"3126593") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"ntoskrnl.exe", version:"6.0.6002.19580", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3126593")
)
  vuln++;

# KB3126434
if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"winsync.dll", version:"2007.94.9600.18183", dir:"\system32", bulletin:bulletin, kb:"3126434")
)
  vuln++;

# KB3135173
if (
  # Windows 10 threshold 2 (aka 1511)
  hotfix_is_vulnerable(os:"10", sp:0, file:"win32kfull.sys", version:"10.0.10586.103", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:"3135173")
)
  vuln++;

# KB3135174
if (
  # Windows 10 RTM
  hotfix_is_vulnerable(os:"10", sp:0, file:"win32kfull.sys", version:"10.0.10240.16683", dir:"\system32", bulletin:bulletin, kb:"3135174") 
)
  vuln++;

# KB3126041
if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"kerberos.dll", version:"6.3.9600.18192", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3126041")  ||
  # Windows Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"kerberos.dll", version:"6.0.6002.23888", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:"3126041") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"kerberos.dll", version:"6.0.6002.19578", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3126041")
)
  vuln++;

if (vuln)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147498/ms16_014_wmi_recv_notif.rb.txt
idPACKETSTORM:147498
last seen2018-05-07
published2018-05-04
reportersmmrootkit
sourcehttps://packetstormsecurity.com/files/147498/Windows-WMI-Recieve-Notification.html
titleWindows WMI Recieve Notification