CVE-2015-0003
published 2015-02-11CVE-2015-0003: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…
PriorityP279medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.54%
90.4th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Shifu (earlier versions) exploited CVE-2015-0003 (win32k.sys NULL pointer dereference) to escalate privileges to SYSTEM level from a local user context via a crafted application. ↗
- →Look for a Windows atom (not just a mutex) used as an infection marker — Shifu uses an atom to check if the host is already infected, in addition to the mutex. ↗
- →Shifu injects its main payload into a 32-bit (x86) svchost.exe process and patches API calls using 'push-calc-ret' obfuscation — monitor for anomalous svchost instances spawned from unexpected parents or with unusual memory regions. ↗
- →Shifu achieves persistence by copying the initial loader to the AppData folder and dropping a JScript file in the Startup folder — monitor for .js files created in Startup directories pointing to AppData executables. ↗
- →Shifu C2 communications use .bit (Namecoin) top-level domains with domain names, user-agent strings, and URL parameters encrypted with a modified RC4 algorithm — flag DNS queries or traffic to .bit TLDs from endpoints. ↗
- →Shifu uses a Layered Service Provider (LSP) to hook into the Winsock API for intercepting and modifying inbound and outbound Internet traffic — detect unexpected LSP entries in the Winsock catalog. ↗
- →The exploit payload is stored in the .tls section of the second stage injector — scan PE files for executable payloads packed inside .tls sections as an indicator of this loader family. ↗
- ·Both the second stage injector and main payload contain many strings that are never used, which may generate false positives in string-based detections. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rq3c-hg7m-wr6h: win32k
ghsa_unreviewed·2022-05-14
CVE-2015-0003 [MEDIUM] CWE-476 GHSA-rq3c-hg7m-wr6h: win32k
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows NULL Pointer Dereference
vulncheck·2015·CVSS 6.9
CVE-2015-0003 [MEDIUM] Microsoft Windows NULL Pointer Dereference
Microsoft Windows NULL Pointer Dereference
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan
Exploit PoC: https://vulncheck.com/xdb/2019d6
No detection rules found.
Unit42
2016 Updates to Shifu Banking Trojan
blogs_unit42·2017-01-06·CVSS 6.9
[MEDIUM] 2016 Updates to Shifu Banking Trojan
Threat Research Center
Threat Research
Cybercrime
## 2016 Updates to Shifu Banking Trojan
Dominik Reichel
Published: January 6, 2017
Cybercrime
Malware
Threat Research
Banking
Shifu
Threat research
Trojan
## Overview
Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.
Palo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:
Exploitation of CVE-
Unit42
2016 Updates to Shifu Banking Trojan
blogs_unit42·2017-01-06·CVSS 6.9
[MEDIUM] 2016 Updates to Shifu Banking Trojan
### Overview
Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.
Palo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:
- Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal
- Use of a Windows atom to identify if the hos
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
## Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
## Bulletins Rated Critical MS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilitie
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
### Bulletins Rated CriticalMS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilities that could result in remote code execution. A couple ASLR bypasses, pr
Bugzilla
CVE-2015-5247 libvirt: denial of service when volume creation fails on NFS pool
bugzilla·2015-09-02·CVSS 6.5
CVE-2015-5247 [MEDIUM] CVE-2015-5247 libvirt: denial of service when volume creation fails on NFS pool
CVE-2015-5247 libvirt: denial of service when volume creation fails on NFS pool
It was reported that libvirt did not perform a proper clean up after volume creation fails on an NFS pool with "root_squash" option enabled.
This leaves the NFS pool in damaged state.
Discussion:
Fix is public as of 2015-08-02:
https://www.redhat.com/archives/libvir-list/2015-September/msg00018.html
---
Libvirt Security Notice:
http://security.libvirt.org/2015/0003.html
---
Upstream patches were released, see the Security Notice above.
http://www.securityfocus.com/bid/72457https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010https://exchange.xforce.ibmcloud.com/vulnerabilities/100430http://www.securityfocus.com/bid/72457https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010https://exchange.xforce.ibmcloud.com/vulnerabilities/100430
2015-02-11
Published
Exploited in the wild