Vulnerabilities > CVE-2016-0151 - Unspecified vulnerability in Microsoft products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

microsoft

nessus

exploit available

NVD

Published: 2016-04-12

Updated: 2024-07-09

Summary

The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 - Microsoft Windows 8.1 - Microsoft Windows RT 8.1 - Microsoft Windows 10 1511 - Microsoft Windows 10 1507 -	6

Exploit-Db

description	Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048). CVE-2016-0151. Dos exploit for windows platform
file	exploits/windows/dos/39740.cpp
id	EDB-ID:39740
last seen	2016-04-27
modified	2016-04-27
platform	windows
port
published	2016-04-27
reporter	Google Security Research
source	https://www.exploit-db.com/download/39740/
title	Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation MS16-048
type	dos

Msbulletin

bulletin_id	MS16-048
bulletin_url
date	2016-04-12T00:00:00
impact	Security Feature Bypass
knowledgebase_id	3148528
knowledgebase_url
severity	Important
title	Security Update for CSRSS

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS16-048.NASL
description	The remote Windows host is missing a security update. It is, therefore, affected by a security feature bypass vulnerability in the Client-Server Run-time Subsystem (CSRSS) due to improper management of process tokens in memory. A local attacker can exploit this vulnerability, via a specially crafted application, to escalate privileges and execute arbitrary code as an administrator.
last seen	2020-06-01
modified	2020-06-02
plugin id	90441
published	2016-04-12
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90441
title	MS16-048: Security Update for CSRSS (3148528)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90441); script_version("1.11"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-0151"); script_bugtraq_id(85913); script_xref(name:"MSFT", value:"MS16-048"); script_xref(name:"MSKB", value:"3146723"); script_xref(name:"MSKB", value:"3147458"); script_xref(name:"MSKB", value:"3147461"); script_xref(name:"IAVB", value:"2016-B-0065"); script_name(english:"MS16-048: Security Update for CSRSS (3148528)"); script_summary(english:"Checks the version of basesrv.dll."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a security feature bypass vulnerability."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing a security update. It is, therefore, affected by a security feature bypass vulnerability in the Client-Server Run-time Subsystem (CSRSS) due to improper management of process tokens in memory. A local attacker can exploit this vulnerability, via a specially crafted application, to escalate privileges and execute arbitrary code as an administrator."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-048"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1, 2012 R2, and 10."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0151"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/12"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS16-048'; kbs = make_list('3146723', '3147458', '3147461'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"basesrv.dll", version:"6.3.9600.18258", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3146723") \|\| # Windows 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"basesrv.dll", version:"6.2.9200.21793", min_version:"6.2.9200.17000", dir:"\system32", bulletin:bulletin, kb:"3146723") \|\| # Windows 10 threshold 2 (aka 1511) hotfix_is_vulnerable(os:"10", sp:0, file:"basesrv.dll", version:"10.0.10586.212", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:"3147458") \|\| # Windows 10 RTM hotfix_is_vulnerable(os:"10", sp:0, file:"basesrv.dll", version:"10.0.10240.16766", dir:"\system32", bulletin:bulletin, kb:"3147461") ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Summary

Vulnerable Configurations

Exploit-Db

Msbulletin

Nessus

References