Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2022 Tenable Network Security, Inc.SMB_NT_MS15-051.NASL
HistoryMay 12, 2015 - 12:00 a.m.

MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)

2015-05-1200:00:00
This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.
www.tenable.com
166

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

77.3%

JSON

The version of Windows running on the remote host is affected by multiple vulnerabilities :

  • Multiple information disclosure vulnerabilities exist due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this to reveal private address information during a function call, resulting in the disclosure of kernel memory contents. (CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680)

  • A privilege escalation vulnerability exists due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this flaw, via a specially crafted application, to execute arbitrary code in kernel mode. This vulnerability is reportedly being exploited in the wild. (CVE-2015-1701)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(83370);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/08");

  script_cve_id(
    "CVE-2015-1676",
    "CVE-2015-1677",
    "CVE-2015-1678",
    "CVE-2015-1679",
    "CVE-2015-1680",
    "CVE-2015-1701"
  );
  script_bugtraq_id(
    74245,
    74483,
    74494,
    74495,
    74496,
    74497
  );
  script_xref(name:"MSFT", value:"MS15-051");
  script_xref(name:"MSKB", value:"3045171");
  script_xref(name:"MSKB", value:"3057191");
  script_xref(name:"MSKB", value:"3065979");
  script_xref(name:"IAVA", value:"2015-A-0108");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");

  script_name(english:"MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Windows running on the remote host is affected by
multiple vulnerabilities :

  - Multiple information disclosure vulnerabilities exist
    due to the Win32k.sys kernel-mode driver improperly
    handling objects in memory. A local attacker can exploit
    this to reveal private address information during a
    function call, resulting in the disclosure of kernel
    memory contents. (CVE-2015-1676, CVE-2015-1677,
    CVE-2015-1678, CVE-2015-1679, CVE-2015-1680)

  - A privilege escalation vulnerability exists due to the
    Win32k.sys kernel-mode driver improperly handling
    objects in memory. A local attacker can exploit this
    flaw, via a specially crafted application, to execute
    arbitrary code in kernel mode. This vulnerability is
    reportedly being exploited in the wild. (CVE-2015-1701)");
  # https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?37b0306c");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-051");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, Vista, 2008,
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1701");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Windows ClientCopyImage Win32k Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/05/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-051';
kb = '3045171';

kbs = make_list('3057191', kb, '3065979');
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
# Some of the 2k3 checks could flag XP 64, which is unsupported
if ("Windows XP" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17796", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21457", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17343", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.23038", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18834", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23680", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19372", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5615", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

mskb 1
cve 6
prion 6
nvd 6
cvelist 6
openvas 1
kaspersky 1
symantec 6
packetstorm 2
zdi 5
seebug 1
fireeye 3
canvas 1
checkpoint_advisories 1
cisa_kev 1
attackerkb 1
zdt 2
myhack58 2
metasploit 1
exploitpack 1
exploitdb 2
threatpost 5
korelogic 1
thn 1
trellix 2
securityvulns 1
talosblog 1
mskb
mskb
MS15-051: Vulnerabilities in Windows kernel-mode drivers could allow information disclosure: May 12, 2015
2015-05-12 00:00:00
cve
cve
CVE-2015-1676
2015-05-13 10:59:08
CVE-2015-1678
2015-05-13 10:59:10
CVE-2015-1679
2015-05-13 10:59:11
prion
prion
Design/Logic Flaw
2015-05-13 10:59:00
Design/Logic Flaw
2015-05-13 10:59:00
Design/Logic Flaw
2015-05-13 10:59:00
nvd
nvd
CVE-2015-1678
2015-05-13 10:59:10
CVE-2015-1676
2015-05-13 10:59:08
CVE-2015-1677
2015-05-13 10:59:09
cvelist
cvelist
CVE-2015-1677
2015-05-13 10:00:00
CVE-2015-1680
2015-05-13 10:00:00
CVE-2015-1678
2015-05-13 10:00:00
openvas
openvas
Microsoft Windows Kernel-Mode Driver Privilege Elevation Vulnerability (3045171)
2015-05-13 00:00:00
kaspersky
kaspersky
KLA10580 Multiple vulnerabilities in Microsoft products
2015-05-12 00:00:00
symantec
symantec
Microsoft Windows Kernel Mode Driver CVE-2015-1680 Local Information Disclosure Vulnerability
2015-05-12 00:00:00
Microsoft Windows Kernel Mode Driver CVE-2015-1677 Local Information Disclosure Vulnerability
2015-05-12 00:00:00
Microsoft Windows CVE-2015-1701 Local Privilege Escalation Vulnerability
2015-04-18 00:00:00
packetstorm
packetstorm
Microsoft Windows ClientCopyImage Improper Object Handling
2015-06-22 00:00:00
Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation
2020-05-14 00:00:00
zdi
zdi
Microsoft Windows NtUserRealInternalGetMessage Stack Information Disclosure Vulnerability
2015-05-12 00:00:00
Microsoft Windows NtUserGetComboBoxInfo Stack Information Disclosure Vulnerability
2015-05-12 00:00:00
Microsoft Windows NtUserGetTitleBarInfo Information Disclosure Vulnerability
2015-05-12 00:00:00
seebug
seebug
MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)
2017-04-25 00:00:00
fireeye
fireeye
Lessons from Operation RussianDoll
2016-03-09 11:00:00
The EPS Awakens - Part 2
2015-12-20 19:45:00
The EPS Awakens
2015-12-16 08:00:00
canvas
canvas
Immunity Canvas: MS15_051
2015-04-21 10:59:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows System CallBack Privilege Escalation (CVE-2015-1701)
2015-04-21 00:00:00
cisa_kev
cisa_kev
Microsoft Win32k Privilege Escalation Vulnerability
2022-03-03 00:00:00
attackerkb
attackerkb
CVE-2015-1701
2015-04-21 00:00:00
zdt
zdt
Microsoft Windows ClientCopyImage Improper Object Handling Exploit
2015-06-23 00:00:00
Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation Vulnerability
2020-05-14 00:00:00
myhack58
myhack58
Win32k elevation of privilege vulnerability, CVE-2 0 1 5-1 7 0 1-exp-vulnerability warning-the black bar safety net
2015-05-24 00:00:00
About 1 5 years 5 months to repair the two 0day-vulnerability warning-the black bar safety net
2015-05-13 00:00:00
metasploit
metasploit
Windows ClientCopyImage Win32k Exploit
2015-06-03 11:48:23
exploitpack
exploitpack
Microsoft Windows - Local Privilege Escalation (MS15-051)
2015-05-18 00:00:00
exploitdb
exploitdb
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
2015-06-24 00:00:00
Microsoft Windows - Local Privilege Escalation (MS15-051)
2015-05-18 00:00:00
threatpost
threatpost
May 2015 Microsoft Patch Tuesday Security Bulletins
2015-05-12 14:49:45
APT Groups Exploiting Patch Microsoft Office Flaw CVE-2015-2545
2016-05-25 12:58:57
Researchers Crack Furtim, SFG Malware Connection
2016-07-18 13:26:09
korelogic
korelogic
Cellebrite Restricted Desktop Escape and Escalation of User Privilege
2020-05-14 00:00:00
thn
thn
State-Sponsored SCADA Malware targeting European Energy Companies
2016-07-13 00:12:00
trellix
trellix
Take a "NetWalk" on the Wild Side
2020-08-03 00:00:00
Take a "NetWalk" on the Wild Side
2020-08-03 00:00:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2015-05-13 00:00:00
talosblog
talosblog
China Chopper still active 9 years later
2019-08-27 08:14:42

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

77.3%

JSON
Related for SMB_NT_MS15-051.NASL
mskb1cve6prion6nvd6cvelist6openvas1kaspersky1symantec6packetstorm2zdi5seebug1fireeye3canvas1checkpoint_advisories1cisa_kev1attackerkb1zdt2myhack582metasploit1exploitpack1exploitdb2threatpost5korelogic1thn1trellix2securityvulns1talosblog1