cbcvebase.
CVE-2015-0003
published 2015-02-11

CVE-2015-0003: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…

PriorityP279medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.54%
90.4th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

processsvchost.exe
registrysoftware\microsoft\windows\currentversion\run
registrysoftware\microsoft\windows nt\currentversion\winlogon
registrySoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
domainvk.com
domainyandex.ru
otherbotid=%s&ver=5.0.1&up=%u&os=%03u
  • Shifu (earlier versions) exploited CVE-2015-0003 (win32k.sys NULL pointer dereference) to escalate privileges to SYSTEM level from a local user context via a crafted application.
  • Look for a Windows atom (not just a mutex) used as an infection marker — Shifu uses an atom to check if the host is already infected, in addition to the mutex.
  • Shifu injects its main payload into a 32-bit (x86) svchost.exe process and patches API calls using 'push-calc-ret' obfuscation — monitor for anomalous svchost instances spawned from unexpected parents or with unusual memory regions.
  • Shifu achieves persistence by copying the initial loader to the AppData folder and dropping a JScript file in the Startup folder — monitor for .js files created in Startup directories pointing to AppData executables.
  • Shifu C2 communications use .bit (Namecoin) top-level domains with domain names, user-agent strings, and URL parameters encrypted with a modified RC4 algorithm — flag DNS queries or traffic to .bit TLDs from endpoints.
  • Shifu uses a Layered Service Provider (LSP) to hook into the Winsock API for intercepting and modifying inbound and outbound Internet traffic — detect unexpected LSP entries in the Winsock catalog.
  • The exploit payload is stored in the .tls section of the second stage injector — scan PE files for executable payloads packed inside .tls sections as an indicator of this loader family.
  • ·Both the second stage injector and main payload contain many strings that are never used, which may generate false positives in string-based detections.

CVSS provenance

nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.