cbcvebase.
CVE-2015-0096
published 2015-03-11

CVE-2015-0096: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…

PriorityP279critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.08%
99.3th percentile
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

yara
rule lnk_wiped {
meta:
author="gvenere"
description="LNK with wiped metadata"
strings:
$lnk_magic = { 4c 00 00 00 }
$ext1 = ".js"
$ext2 = ".bat"
$ext3 = ".cmd"
condition:
$lnk_magic at 0x0 and
uint16(0x1c) == 0x0 and
uint16(0x24) == 0x0 and
uint16(0x2c) == 0x0 and
( any of ($ext*) in (0xa0..0x100) )
}
  • CVE-2015-0096 exploits DLL loading triggered when Windows Explorer renders the icon of a crafted .LNK shortcut file pointing to a malicious DLL on a remote SMB share; monitor for Explorer loading DLLs from UNC/SMB paths.
  • Meterpreter-generated LNK exploit files for CVE-2015-0096 have all metadata fields (CreationTime, AccessTime, WriteTime) wiped to zero and the malicious payload is embedded in fields not parsed by standard LNK parsers; detect LNK files where all three timestamp fields at offsets 0x1c, 0x24, 0x2c are zero.
  • The Metasploit module ms15_020_shortcut_icon_dllloader creates an SMB resource to serve the payload DLL and generates a crafted LNK file; detect SMB-hosted DLL loads initiated by explorer.exe as a result of LNK icon rendering.
  • LNK files crafted for CVE-2015-0096 use a Control Panel Applet ItemID structure (byte 0x6a at offset 11 within the ItemID data) to reference a DLL path; the IDList contains specific shell GUIDs for 'This PC' and 'All Control Panel Items' followed by a CPL applet entry pointing to the malicious DLL.
  • CVE-2017-8464 (a variant of CVE-2015-0096/MS15-020) adds a SpecialFolderDataBlock with SpecialFolderID 0x03 (CSIDL_CONTROLS) to bypass the CPL whitelist; presence of BlockSignature 0xA0000005 with SpecialFolderID 0x03 in LNK ExtraData is a strong indicator of exploit-crafted files.
  • LNK files with LinkFlags value 0x81 (HasLinkTargetIDList | IsUnicode) and all timestamp fields zeroed, combined with a CPL applet IDList entry, are characteristic of exploit-generated shortcut files for this vulnerability class.
  • ·The Metasploit module ms15_020_shortcut_icon_dllloader was tested successfully only on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32-bit) with MS14-027 installed; exploit reliability on other targets may vary.
  • ·The CVE-2017-8464 Metasploit variant (a bypass of CVE-2015-0096's fix) does not work with UNC paths and instead requires the DLL to be placed at the root of a drive (e.g., USB drive or shared VM folder) with LNK files generated per drive letter D–Z.
  • ·The YARA rule for wiped-metadata LNK detection includes extension checks (.js, .bat, .cmd) tuned for Qakbot; these additional string conditions should be adjusted when hunting for CVE-2015-0096 exploit files specifically, as those will not necessarily contain those extensions.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.