Lucene search
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS15-015.NASLHistoryFeb 10, 2015 - 12:00 a.m.
MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
2015-02-1000:00:00
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
36
CVSS2
7.2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
0
Percentile
10.5%
The remote Windows host is affected by a privilege escalation vulnerability due to improper validation of the authorization of a caller’s impersonation token when the caller’s process uses SeAssignPrimaryTokenPrivilege. A local attacker, using a specially crafted program, can bypass the authorization check, resulting in an escalation of privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(81268);
script_version("1.9");
script_cvs_date("Date: 2019/11/25");
script_cve_id("CVE-2015-0062");
script_bugtraq_id(72458);
script_xref(name:"MSFT", value:"MS15-015");
script_xref(name:"MSKB", value:"3031432");
script_xref(name:"IAVA", value:"2015-A-0035");
script_name(english:"MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)");
script_summary(english:"Checks the version of ntoskrnl.exe.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a privilege escalation
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a privilege escalation
vulnerability due to improper validation of the authorization of a
caller's impersonation token when the caller's process uses
SeAssignPrimaryTokenPrivilege. A local attacker, using a specially
crafted program, can bypass the authorization check, resulting in an
escalation of privileges.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-015");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 7, 2008 R2, 8,
2012, 8.1, and 2012 R2.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/10");
script_set_attribute(attribute:"patch_publication_date", value:"2015/02/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS15-015';
kb = '3031432';
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');
if (
# Windows 8.1 / Windows Server 2012 R2
hotfix_is_vulnerable(os:"6.3", sp:0, file:"ntoskrnl.exe", version:"6.3.9600.17630", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 8 / Windows Server 2012
hotfix_is_vulnerable(os:"6.2", sp:0, file:"ntoskrnl.exe", version:"6.2.9200.21347", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.2", sp:0, file:"ntoskrnl.exe", version:"6.2.9200.17231", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 7 SP1 / Server 2008 R2
hotfix_is_vulnerable(os:"6.1", sp:1, file:"ntoskrnl.exe", version:"6.1.7601.22921", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:1, file:"ntoskrnl.exe", version:"6.1.7601.18715", min_version:"6.1.7600.17000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
Related
symantec
symantec
Microsoft Windows CVE-2015-0062 Local Privilege Escalation Vulnerability
2015-02-10 00:00:00
cvelist
cvelist
CVE-2015-0062
2015-02-11 02:00:00
prion
prion
Privilege escalation
2015-02-11 03:01:00
cve
cve
CVE-2015-0062
2015-02-11 03:01:05
nvd
nvd
CVE-2015-0062
2015-02-11 03:01:05
openvas
openvas
talosblog
talosblog
China Chopper still active 9 years later
2019-08-27 08:14:42
kaspersky
kaspersky
KLA10589 Multiple vulnerabilities in Microsoft products
2015-03-04 00:00:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2015-02-11 00:00:00
CVSS2
7.2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
0
Percentile
10.5%
Related for SMB_NT_MS15-015.NASL