CVE-2015-0057
published 2015-02-11CVE-2015-0057: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…
PriorityP344high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
12.75%
95.8th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2015-0057 exploit uses InternalGetWindowText/NtUserInternalGetWindowText and NtUserDefSetText Windows GUI functions to perform arbitrary kernel read/write; monitor for unusual invocation of these NT user functions from low-privilege processes. ↗
- →Sage 2.2 exploit targets the Local Descriptor Table (LDT) for ring-3 to ring-0 transition via a far call, rather than the traditional HalDispatchTable overwrite; detect unexpected LDT modifications in EPROCESS structures. ↗
- →Exploit shellcode disables SMEP by modifying the CR4 register to allow kernel-mode execution of user-mode code; monitor for CR4 register modifications in kernel telemetry. ↗
- →Exploit retrieves ntoskrnl.exe base address via IDT constant value 0x82888e00 (KIDTENTRY.Access + KIDTENTRY.ExtendedOffset) rather than traditional methods; this technique may evade behavioral detections watching for standard ntoskrnl base-address resolution. ↗
- →Dridex checks for absence of patches KB3034344 and KB3013455 before deploying the CVE-2015-0057 EoP module (mod5); presence of these checks in network traffic or loader logic is a strong indicator of exploitation intent. ↗
- →Dridex C2 communication for mod5 (CVE-2015-0057 EoP payload) uses HTTPS with RC4-encrypted XML containing a hard-coded key; network inspection for RC4-over-HTTPS to the listed C2 IPs on port 4843 is a detection opportunity. ↗
- →Sage 2.2 uses UAC bypass via eventvwr.exe and registry hijacking to suppress UAC popup; monitor for eventvwr.exe spawning unexpected child processes or registry key modifications under HKCU\Software\Classes\mscfile. ↗
- →Sage 2.2 download URLs use .info and .top TLDs with a numeric path; network detections should flag HTTP GET requests matching pattern: domain ending in .info or .top with a purely numeric URI path. ↗
- →CVE-2015-0057 root cause is a Use-After-Free in xxxEnableWndSBArrows within win32k.sys triggered via ClientLoadLibrary user-mode callback; kernel crash dumps or ETW traces showing UAF in this function path indicate exploitation. ↗
- ·Sage 2.2 terminates itself if it detects sandbox/VM indicators (process names, file paths containing 'sample'/'malw'/'virus', computer name 'abc-win7', blacklisted CPUIDs such as KVM/QEMU/Xeon/'AMD Opteron 2386', or blacklisted MAC addresses); dynamic analysis environments must spoof these to obtain full execution. ↗
- ·Sage 2.2 strings are encrypted with ChaCha20, each with its own hard-coded decryption key; static string-based detection will not work without first decrypting the string table. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)
exploitdb·2015-12-18·CVSS 7.2
CVE-2015-0057 [HIGH] Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)
Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)
---
# Exploit Title: MS15-010/CVE-2015-0057 win32k Local Privilege Escalation
# Date: 2015-12-17
# Exploit Author: Jean-Jamil Khalife
# Software Link: http://www.microsoft.com
# Version: Windows 8.1 (x64)
# Tested on: Windows 8.1 (x64)
# CVE : CVE-2015-0057
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39035.zip
Exploit-DB
Microsoft Windows - Local Privilege Escalation (MS15-010)
exploitdb·2015-05-25·CVSS 6.9
CVE-2015-0060 [MEDIUM] Microsoft Windows - Local Privilege Escalation (MS15-010)
Microsoft Windows - Local Privilege Escalation (MS15-010)
---
// ex.cpp
/*
Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
CVE-2015-0003
March 2015 (Public Release: May 24, 2015)
Tested on:
x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
x64: Win 2k8 SP1 | Win 2k8 R2 SP1
Author: Skylake - skylake mail com
*/
#include "ex.h"
_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
_PsLookupProcessByProcessId PsLookupProcessByProcessId;
_PsReferencePrimaryToken PsReferencePrimaryToken;
DWORD Pid;
ATOM atom;
BOOL KrnlMode, bSpawned;
DWORD_PTR WINAPI pti()
{
#ifdef _M_X64
LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
#else
LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
#endif
}
BOOL find_and
Checkpoint
Exploit Developer Spotlight: The Story of PlayBit
blogs_checkpoint·2020-10-26·CVSS 7.8
CVE-2018-8453 [HIGH] Exploit Developer Spotlight: The Story of PlayBit
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploit Developer Spotlight: The Story of PlayBit
Research By: Eyal Itkin and Itay Cohen
## Introduction
Exploits have always been an important and integral part of malicious attacks.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Fortinet
Evasive Sage 2.2 Ransomware Variant Targets More Countries
blogs_fortinet·2017-10-29
Evasive Sage 2.2 Ransomware Variant Targets More Countries
FORTIGUARD LABS THREAT RESEARCH
Evasive Sage 2.2 Ransomware Variant Targets More Countries
By Floser Bacurio Jr., Wayne Low, and Jasper Manuel | October 29, 2017
The Sage ransomware variant appears to have been out of circulation for a while in the malware scene. Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn’t seen significant activity with this malware for over six months.
However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation. In this article, we will share our findings of these recent updates.
Using our Kadena Threat Intelligence System, we have identified that this malware is being delive
Fortinet
BlackHat Asia 2016 wraps up
blogs_fortinet·2016-04-12·CVSS 7.2
CVE-2015-0057 [HIGH] BlackHat Asia 2016 wraps up
INDUSTRY TRENDS & INSIGHTS
BlackHat Asia 2016 wraps up
By Tony Loi | April 12, 2016
BlackHat Asia 2016 was once again held in the majestic Marina Bay Sands hotel in Singapore.. This is one of the biggest security conferences in Asia. We attended many of the talks and presentations and wanted to highlight some of the most interesting topics here for those of you who were unable to attend:
- A NEW CVE-2015-0057 EXPLOIT TECHNOLOGY. Security researcher Wang Yu introduced an approach on exploiting the patched Windows kernel vulnerability CVE-2015-0057. This exploit was inspired by a number of other research papers that have been created on the same topic. He started by explaining how Windows 10 security can be further hardened to make exploiting the Windows kernel more challenging. But havin
Fortinet
What's cooking? Dridex’s New and Undiscovered Recipes
blogs_fortinet·2016-03-23
What's cooking? Dridex’s New and Undiscovered Recipes
FORTIGUARD LABS THREAT RESEARCH
What's cooking? Dridex’s New and Undiscovered Recipes
By Wayne Chin Yick Low | March 23, 2016
Because of the recent outbreak of the Locky ransomware, Dridex has become synonymous with the distribution of ransomware more generally. However, Dridex is still taking good care of its notorious original business– banking Trojans. While preparing the materials for my upcoming HITBAMS2016 talk on Kernel Exploit hunting and mitigation, I came across this new variant of Dridex (SHA1: 455817A04F9D0A7094038D006518C85BE3892C99), which is rather interesting.
The Master of Antivirus Killers
Based on some simple string checks, we assumed that Dridex tries to evade a couple of major security software vendors. It is important to note that we didn’t look into exactly how t
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
## Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
## Bulletins Rated Critical MS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilitie
Fortinet
One Bit To Rule Them All: Bypassing Windows 10 Protections Using a Single Bit | FortiGuard Labs
blogs_fortinet·2015-02-10·CVSS 7.2
CVE-2015-0057 [HIGH] One Bit To Rule Them All: Bypassing Windows 10 Protections Using a Single Bit | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
One Bit To Rule Them All: Bypassing Windows 10 Protections Using a Single Bit
By Udi Yavo | February 10, 2015
Threat Analysis: This blog originally appeared on the enSilo website and is republished here for threat research purposes. enSilo was acquired by Fortinet in October 2019.
Introduction
Today (Feb 10, 2015) Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated Windows exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. (enSilo researchers - now a part of FortiGuard Labs - often discover new vulnerabilities in our continuing work towards maintaining a complete endpoint security).
As part of our research, we revealed this privilege escalation vu
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
### Bulletins Rated CriticalMS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilities that could result in remote code execution. A couple ASLR bypasses, pr
Zscaler
Zscaler detects IE & MS Office Vulnerabilities | 02-10-2015
blogs_zscaler·CVSS 6.8
[MEDIUM] Zscaler detects IE & MS Office Vulnerabilities | 02-10-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
On the Effectiveness of Type-based Control Flow Integrity
arxiv_fulltext·2020-02-14
On the Effectiveness of Type-based Control Flow Integrity
2018
2018
acmcopyright
[ACSAC '18]2018 Annual Computer Security Applications ConferenceDecember 3--7, 2018San Juan, PR, USA
2018 Annual Computer Security Applications Conference (ACSAC '18), December 3--7, 2018, San Juan, PR, USA
15.00
10.1145/3274694.3274739
978-1-4503-6569-7/18/12
On the Effectiveness of Type-based Control Flow Integrity
Reza Mirzazade farkhani
Northeastern University
[email protected]
Saman Jafari
Northeastern University
[email protected]
Sajjad Arshad
Northeastern University
[email protected]
William Robertson
Northeastern University
[email protected]
Engin Kirda
Northeastern University
[email protected]
Hamed Okhravi
MIT Lincoln Laboratory
[email protected]
## Abstract
Control flow integrity (CFI) has received significant attention in the community
http://www.securityfocus.com/bid/72466https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010https://exchange.xforce.ibmcloud.com/vulnerabilities/100431https://www.exploit-db.com/exploits/39035/http://www.securityfocus.com/bid/72466https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010https://exchange.xforce.ibmcloud.com/vulnerabilities/100431https://www.exploit-db.com/exploits/39035/
2015-02-11
Published