Vulnerabilities > CVE-2016-7255 - Unspecified vulnerability in Microsoft products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

microsoft

nessus

exploit available

NVD

Published: 2016-11-10

Updated: 2024-07-25

Summary

The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 - Microsoft Windows 8.1 - Microsoft Windows Server 2016 - Microsoft Windows Server 2008 - Microsoft Windows Server 2008 R2 Microsoft Windows 7 - Microsoft Windows RT 8.1 - Microsoft Windows Vista - Microsoft Windows 10 1607 - Microsoft Windows 10 1511 - Microsoft Windows 10 1507 -	12

Exploit-Db

description	Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2). CVE-2016-7255. Local exploit for Windows platform
file	exploits/windows/local/41015.c
id	EDB-ID:41015
last seen	2017-01-11
modified	2017-01-08
platform	windows
port
published	2017-01-08
reporter	Exploit-DB
source	https://www.exploit-db.com/download/41015/
title	Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
type	local

description	Microsoft Windows Kernel - win32k Denial of Service (MS16-135). CVE-2016-7255. Dos exploit for Windows platform
file	exploits/windows/dos/40745.c
id	EDB-ID:40745
last seen	2016-11-10
modified	2016-11-09
platform	windows
port
published	2016-11-09
reporter	Exploit-DB
source	https://www.exploit-db.com/download/40745/
title	Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
type	dos

description	Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135). CVE-2016-7255. Local exploit for Windows platform
file	exploits/windows/local/40823.txt
id	EDB-ID:40823
last seen	2016-11-24
modified	2016-11-24
platform	windows
port
published	2016-11-24
reporter	Exploit-DB
source	https://www.exploit-db.com/download/40823/
title	Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)
type	local

Msbulletin

bulletin_id	MS16-135
bulletin_url
date	2016-11-08T00:00:00
impact	Elevation of Privilege
knowledgebase_id	3199135
knowledgebase_url
severity	Important
title	Security Update for Windows Kernel-Mode Drivers

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS16-135.NASL
description	The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows kernel that allows a local attacker, via a specially crafted application, to bypass the Address Space Layout Randomization (ASLR) feature and retrieve the memory address of a kernel object. (CVE-2016-7214) - Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit these, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2016-7215, CVE-2016-7246, CVE-2016-7255) - An information disclosure vulnerability exists in the bowser.sys kernel-mode driver due to improper handling objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2016-7218)
last seen	2020-06-01
modified	2020-06-02
plugin id	94636
published	2016-11-08
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/94636
title	MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94636); script_version("1.11"); script_cvs_date("Date: 2018/11/15 20:50:32"); script_cve_id( "CVE-2016-7214", "CVE-2016-7215", "CVE-2016-7218", "CVE-2016-7246", "CVE-2016-7255" ); script_bugtraq_id( 93991, 94000, 94004, 94063, 94064 ); script_xref(name:"MSFT", value:"MS16-135"); script_xref(name:"MSKB", value:"3198234"); script_xref(name:"MSKB", value:"3194371"); script_xref(name:"MSKB", value:"3197867"); script_xref(name:"MSKB", value:"3197868"); script_xref(name:"MSKB", value:"3197873"); script_xref(name:"MSKB", value:"3197874"); script_xref(name:"MSKB", value:"3197876"); script_xref(name:"MSKB", value:"3197877"); script_xref(name:"MSKB", value:"3198585"); script_xref(name:"MSKB", value:"3198586"); script_xref(name:"MSKB", value:"3200970"); script_xref(name:"IAVA", value:"2016-A-0322"); script_name(english:"MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)"); script_summary(english:"Checks the version of ntoskrnl.exe or the installed rollup."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows kernel that allows a local attacker, via a specially crafted application, to bypass the Address Space Layout Randomization (ASLR) feature and retrieve the memory address of a kernel object. (CVE-2016-7214) - Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit these, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2016-7215, CVE-2016-7246, CVE-2016-7255) - An information disclosure vulnerability exists in the bowser.sys kernel-mode driver due to improper handling objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2016-7218)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-135"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/08"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_check_rollup.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS16-135'; kbs = make_list( '3198234', '3194371', '3197867', '3197868', '3197873', '3197874', '3197876', '3197877', '3198585', '3198586', '3200970' ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); # Windows 8 EOL productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if ("Windows 8" >< productname && "8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista / 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"win32k.sys", version:"6.0.6002.24029", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3198234") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"win32k.sys", version:"6.0.6002.19706", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3198234") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"bowser.sys", version:"6.0.6002.24021", min_version:"6.0.6002.23000", dir:"\system32\drivers", bulletin:bulletin, kb:"3194371") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"bowser.sys", version:"6.0.6002.19698", min_version:"6.0.6002.18000", dir:"\system32\drivers", bulletin:bulletin, kb:"3194371") \|\| # 8.1 / 2012 R2 smb_check_rollup(os:"6.3", sp:0, rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3197873, 3197874)) \|\| # 2012 smb_check_rollup(os:"6.2", sp:0, rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3197876, 3197877)) \|\| # 7 / 2008 R2 smb_check_rollup(os:"6.1", sp:1, rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3197867, 3197868)) \|\| # 10 (1507) smb_check_rollup(os:"10", sp:0, os_build:"10240", rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3198585)) \|\| # 10 (1511) smb_check_rollup(os:"10", sp:0, os_build:"10586", rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3198586)) \|\| # 10 (1607) smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date: "11_2016", bulletin:bulletin, rollup_kb_list:make_list(3200970)) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, hotfix_get_audit_report()); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/140468/ms16135-escalate.txt
id	PACKETSTORM:140468
last seen	2017-01-12
published	2017-01-12
reporter	Rick Larabee
source	https://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.html
title	Microsoft Windows Kernel win32k.sys NtSetWindowLongPtr Privilege Escalation

data source	https://packetstormsecurity.com/files/download/139701/ms16135-dos.txt
id	PACKETSTORM:139701
last seen	2016-12-05
published	2016-11-14
reporter	TinySec
source	https://packetstormsecurity.com/files/139701/Microsoft-Windows-kernel-win32k-Denial-Of-Service.html
title	Microsoft Windows kernel win32k Denial Of Service

Seebug

bulletinFamily	exploit
description	If the Windows kernel-mode drivers do not properly handle objects in memory, then there will be multiple elevation of Privilege vulnerabilities. Successful exploitation of this vulnerability an attacker can run in kernel mode arbitrary code. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account. The attacker must first log in to the system, and then to exploit these vulnerabilities. Then the attacker can run a exploit these vulnerabilities and through the Special design of the application, allowing control of the affected system. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve these vulnerabilities.
id	SSV:92530
last seen	2017-11-19
modified	2016-11-10
published	2016-11-10
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-92530
title	Win32k elevation of privilege vulnerability MS16-135）(CVE-2016-7255)

The Hacker News

id	THN:F8BDC767F3D202913920E1C28D137377
last seen	2018-01-27
modified	2016-11-09
published	2016-11-09
reporter	Mohit Kumar
source	https://thehackernews.com/2016/11/microsoft-windows-update.html
title	Microsoft Patches Windows Zero-Day Flaw Disclosed by Google

Summary

Vulnerable Configurations

Exploit-Db

Msbulletin

Nessus

Packetstorm

Seebug

The Hacker News

References