CVE-2015-0002
published 2015-01-13CVE-2015-0002: The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8…
PriorityP344high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
13.80%
96.0th percentile
The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jmf2-h3mv-m742: The AhcVerifyAdminContext function in ahcache
ghsa_unreviewed·2022-05-14
CVE-2015-0002 [HIGH] GHSA-jmf2-h3mv-m742: The AhcVerifyAdminContext function in ahcache
The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."
Project0
A Token’s Tale - Project Zero
project_zero·2015-02-01·CVSS 7.2
CVE-2015-0002 [HIGH] A Token’s Tale - Project Zero
Posted by James Forshaw currently impersonating NT AUTHORITY\SYSTEM.
Much as I enjoy the process of vulnerability research sometimes there’s a significant disparity between the difficulty of finding a vulnerability and exploiting it. The Project Zero blog contains numerous examples of complex exploits for seemingly trivial vulnerabilities. You might wonder why we’d go to this level of effort to prove exploitability, surely we don’t need to do so? Hopefully by the end of this blog post you’ll have a better understanding of why it’s often the case we spend a significant effort to demonstrate a security issue by developing a working proof of concept.
Our primary target for a PoC is the vendor, but there are other benefits for developing one. A customer of the vendor’s system can use the P
VMware
VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
vendor_vmware·2015-01-29·CVSS 4.3
CVE-2014-4632 [MEDIUM] VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
VMSA-2015-0002: VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
a. VMware vSphere Data Protection certificate validation vulnerability VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations. VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre for Computing, KIT, Germany for reporting this issue to VMware and the EMC Product Security Response Center for working with us on the issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-4632 to this issue. Column 4 of the following table lists the action
No detection rules found.
Exploit-DB
Android WiFi-Direct - Denial of Service
exploitdb·2015-01-26·CVSS 7.5
CVE-2014-0997 [HIGH] Android WiFi-Direct - Denial of Service
Android WiFi-Direct - Denial of Service
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Android WiFi-Direct Denial of Service
1. *Advisory Information*
Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release
2. *Vulnerability Information*
Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997
3. *Vulnerability Description*
Some Android devices are affected by a Denial of Service attack when
scanning for WiFi Direct devices.
An attacker could send
Exploit-DB
Microsoft Windows 8.1 (x86/x64) - 'ahcache.sys' NtApphelpCacheControl Privilege Escalation
exploitdb·2015-01-01
CVE-2015-0002 Microsoft Windows 8.1 (x86/x64) - 'ahcache.sys' NtApphelpCacheControl Privilege Escalation
Microsoft Windows 8.1 (x86/x64) - 'ahcache.sys' NtApphelpCacheControl Privilege Escalation
---
# Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35661-poc.zip
Platform: Windows 8.1 Update 32/64 bit (No other OS tested)
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.
This function has a vulnerability where it doesn't correctly check t
Metasploit
MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check
metasploit
MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check
MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check
On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the t
Talos
Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
blogs_talos·2015-01-13·CVSS 7.2
[HIGH] Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
This post was written by Yves Younan.
Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.
Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service (ANS) to the general public, but is instead only providing it to premier customers.
The first bulletin of
Talos
Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
blogs_talos·2015-01-13·CVSS 7.2
[HIGH] Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
## Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
This post was written by Yves Younan .
Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.
Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service
Zscaler
Zscaler found Multiple Security Vulnerabilities | 01-13-2015
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 01-13-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
xscreensaver: Unplugging HDMI cable can cause lock bypass
bugzilla·2015-10-29·CVSS 2.1
[LOW] xscreensaver: Unplugging HDMI cable can cause lock bypass
xscreensaver: Unplugging HDMI cable can cause lock bypass
In HDMI multi-screen setup, xscreensaver aborts when the external screen is plugged out, causing the unlocking of desktop on XFCE when asking for password.
Patch:
http://pkgs.fedoraproject.org/cgit/xscreensaver.git/diff/xscreensaver-5.33-0002-Modify-sigchld_hander-in_signal_hander_p-mechanism.patch?id=b57f59f3482fedf70ce7a3541094e2512290139f
CVE request (including steps to reproduce):
http://www.openwall.com/lists/oss-security/2015/10/24/2
Discussion:
Created xscreensaver tracking bugs for this issue:
Affects: fedora-all [bug 1276357]
Affects: epel-6 [bug 1276359]
---
The original bug is bug 1274452 .
---
http://www.openwall.com/lists/oss-security/2015/10/29/12
CVE-2015-8025 is now assigned.
---
Merging...
*** This bu
Bugzilla
CVE-2015-2155 tcpdump: force printer vulnerability
bugzilla·2015-03-13·CVSS 5.0
CVE-2015-2155 [MEDIUM] CVE-2015-2155 tcpdump: force printer vulnerability
CVE-2015-2155 tcpdump: force printer vulnerability
A flaw was found in tcpdump's force printer. A remote attacker could use this flaw to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.
Upstream patch:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
Discussion:
Created tcpdump tracking bugs for this issue:
Affects: fedora-all [bug 1201799]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1871 https://access.redhat.com/errata/RHSA-2017:1871
Bugzilla
CVE-2015-2154 tcpdump: ethernet printer osi_print_cksum() missing sanity checks out-of-bounds read
bugzilla·2015-03-13·CVSS 5.0
CVE-2015-2154 [MEDIUM] CVE-2015-2154 tcpdump: ethernet printer osi_print_cksum() missing sanity checks out-of-bounds read
CVE-2015-2154 tcpdump: ethernet printer osi_print_cksum() missing sanity checks out-of-bounds read
A flaw was found in tcpdump's ethernet printer. A remote attacker could use this flaw to cause tcpdump to crash, resulting in a denial of service.
Upstream patch:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
Discussion:
Created tcpdump tracking bugs for this issue:
Affects: fedora-all [bug 1201799]
---
This is caused by missing sanity checks in the osi_print_cksum() function in print-isoclns.c.
The function may call the create_osi_cksum() function in checksum.c with invalid data. Fortunately, this seems to be exploitable for an application crash due to an out-of-bounds read only.
---
tcpdump-4.7.3-1.fc21 has been pushed to the Fedora 21 stabl
Bugzilla
CVE-2015-2153 tcpdump: tcp printer rpki_rtr_pdu_print() missing length check
bugzilla·2015-03-13·CVSS 5.0
CVE-2015-2153 [MEDIUM] CVE-2015-2153 tcpdump: tcp printer rpki_rtr_pdu_print() missing length check
CVE-2015-2153 tcpdump: tcp printer rpki_rtr_pdu_print() missing length check
A flaw was found in tcpdump's TCP printer. A remote attacker could use this flaw to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.
Upstream patch:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
Discussion:
Created tcpdump tracking bugs for this issue:
Affects: fedora-all [bug 1201799]
---
The problem here is a simple missing length check in the rpki_rtr_pdu_print() function in print-rpki-rtr.c when processing RPKI-RTR PDUs (Protocol Data Units) with an incorrect header length.
Without this check, the function will try to operate on invalid data when processing certain packets, leading to all kinds of unwanted side effects
Bugzilla
CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder
bugzilla·2015-03-06·CVSS 8.6
CVE-2015-1779 [HIGH] CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder
CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder
It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU.
Acknowledgements:
This issue was discovered by Daniel P. Berrange of Red Hat.
Discussion:
Created attachment 998931
0001-CVE-2015-1779-incrementally-decode-websocket-frames.patch
---
Created attachment 998932
0002-CVE-2015-1779-limit-size-of-HTTP-headers-from-websoc.patch
---
Created attachment 999785
0001-CVE-2015-1779-incrementally-decode-websocket-frames.patch
---
Created attachment 999786
0002-CVE-
http://secunia.com/advisories/61277http://twitter.com/sambowne/statuses/550384131683520512http://www.securityfocus.com/bid/71972http://www.zdnet.com/article/google-discloses-unpatched-windows-vulnerability/https://code.google.com/p/google-security-research/issues/detail?id=118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-001https://exchange.xforce.ibmcloud.com/vulnerabilities/99523https://exchange.xforce.ibmcloud.com/vulnerabilities/99524http://secunia.com/advisories/61277http://twitter.com/sambowne/statuses/550384131683520512http://www.securityfocus.com/bid/71972http://www.zdnet.com/article/google-discloses-unpatched-windows-vulnerability/https://code.google.com/p/google-security-research/issues/detail?id=118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-001https://exchange.xforce.ibmcloud.com/vulnerabilities/99523https://exchange.xforce.ibmcloud.com/vulnerabilities/99524
2015-01-13
Published