CVE-2015-0016
published 2015-01-13CVE-2015-0016: Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
75.94%
99.5th percentile
Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,to_client; flowbits:set,SunDown.EK; file.data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; classtype:exploit-kit; sid:2023279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2024_03_14;)
bytes
9xb4GwTUbwUQoyD09AFIox7g9y6
- →Monitor for TSWbPrxy.exe spawning unexpected child processes, especially PowerShell, as the exploit abuses TSWbPrxy.exe to escape IE Protected Mode (Low Integrity) and execute code at Medium Integrity. ↗
- →Detect the drop and load of cve-2015-0016.dll into the TEMP directory, which is the exploit DLL uploaded by the Metasploit module during exploitation. ↗
- →Alert on processes transitioning from Low Integrity to Medium Integrity level, particularly those involving TSWbPrxy.exe, as this is the specific privilege escalation path described for this CVE. ↗
- →Use the Emerging Threats Snort/Suricata rule SID 2023279 to detect SunDown Exploit Kit delivering CVE-2015-0016 payloads in HTTP responses via the content string '9xb4GwTUbwUQoyD09AFIox7g9y6'.
- →Monitor for the environment variable 'PSHCMD' being set via kernel32.SetEnvironmentVariableA, which is used by the exploit to stage the PowerShell payload before execution. ↗
- ·The Metasploit module only targets 32-bit Windows 7 SP1 and prior; it explicitly fails on Windows 8/2012, limiting the exploit's automated applicability despite the CVE affecting a broader OS range. ↗
- ·The exploit requires an existing Meterpreter session running at Low Integrity (IE Protected Mode); it is a local privilege escalation, not a remote code execution vector on its own. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59ww-48gw-2fpx: Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP
ghsa_unreviewed·2022-05-14
CVE-2015-0016 [HIGH] CWE-22 GHSA-59ww-48gw-2fpx: Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP
Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows TS WebProxy Directory Traversal Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-0016 [HIGH] CWE-22 Microsoft Windows TS WebProxy Directory Traversal Vulnerability
Microsoft Windows TS WebProxy Directory Traversal Vulnerability
Directory traversal vulnerability in the TS WebProxy (TSWbPrxy) component in Microsoft Windows allows remote attackers to escalate privileges.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-15
CISA
Microsoft Windows TS WebProxy Directory Traversal Vulnerability
cisa·2022-05-25·CVSS 7.8
CVE-2015-0016 [HIGH] CWE-22 Microsoft Windows TS WebProxy Directory Traversal Vulnerability
Vulnerability: Microsoft Windows TS WebProxy Directory Traversal Vulnerability
Affected: Microsoft Windows
Directory traversal vulnerability in the TS WebProxy (TSWbPrxy) component in Microsoft Windows allows remote attackers to escalate privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-0016
Remediation Due Date: 2022-06-15
Suricata
ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)
suricata·2016-09-22·CVSS 7.8
CVE-2015-0016 [HIGH] ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)
ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,to_client; flowbits:set,SunDown.EK; file.data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; classtype:exploit-kit; sid:2023279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2024_03_14;)
Exploit-DB
SeaWell Networks Spectrum - Multiple Vulnerabilities
exploitdb·2016-01-18·CVSS 9.8
CVE-2015-8284 [CRITICAL] SeaWell Networks Spectrum - Multiple Vulnerabilities
SeaWell Networks Spectrum - Multiple Vulnerabilities
---
# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/]
# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016]
CVE-ID:
CVE-2015-8282
CVE-2015-8283
CVE-2015-8284
About SeaWell Networks Spectrum
Session Delivery Control
SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles.
The result – Spectrum – is what we call a “Multiscreen 2.0” Session Delivery Controller.
Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly –
Exploit-DB
Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)
exploitdb·2015-02-03
CVE-2015-0016 Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)
Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in Internet Explorer's sandbox, specifically
the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape
the Protected Mode, and execute code with Medium Integrity. At the moment, this module only
bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested
successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
},
'License'
Metasploit
MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
metasploit
MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
Talos
Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
blogs_talos·2015-01-13·CVSS 7.2
[HIGH] Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
This post was written by Yves Younan.
Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.
Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service (ANS) to the general public, but is instead only providing it to premier customers.
The first bulletin of
Talos
Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
blogs_talos·2015-01-13·CVSS 7.2
[HIGH] Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
## Microsoft Update Tuesday January 2015: Another Light Month, No IE
Bulletins, More Changes to Reporting
This post was written by Yves Younan .
Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.
Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service
Zscaler
Zscaler found Multiple Security Vulnerabilities | 01-13-2015
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 01-13-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/http://packetstormsecurity.com/files/130201/MS15-004-Microsoft-Remote-Desktop-Services-Web-Proxy-IE-Sandbox-Escape.htmlhttp://secunia.com/advisories/62076http://www.exploit-db.com/exploits/35983http://www.securityfocus.com/bid/71965http://www.securitytracker.com/id/1031524https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-004https://exchange.xforce.ibmcloud.com/vulnerabilities/99515https://exchange.xforce.ibmcloud.com/vulnerabilities/99516http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/http://packetstormsecurity.com/files/130201/MS15-004-Microsoft-Remote-Desktop-Services-Web-Proxy-IE-Sandbox-Escape.htmlhttp://secunia.com/advisories/62076http://www.exploit-db.com/exploits/35983http://www.securityfocus.com/bid/71965http://www.securitytracker.com/id/1031524https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-004https://exchange.xforce.ibmcloud.com/vulnerabilities/99515https://exchange.xforce.ibmcloud.com/vulnerabilities/99516https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-0016
2015-01-13
Published
2022-05-25
Added to CISA KEV
Exploited in the wild