CVE-2015-2370
published 2015-07-14CVE-2015-2370: The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1…
PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.42%
90.1th percentile
The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect execution of trebuchet.exe or child processes spawning from it, particularly when it is used to copy files into privileged system directories such as C:\Windows\System32\. ↗
- →Monitor for the presence of Microsoft.VisualStudio.OLE.Inerop.dll (note the typo: 'Inerop' not 'Interop') alongside unknown executables; this DLL is a required dependency of the Trebuchet exploit tool. ↗
- →Detect symbolic link / junction creation activity (CreateSymlink tooling) in conjunction with RPC activity, as the exploit chains NTLM reflection with symlink abuse to write files to privileged locations. ↗
- ·The exploit can only be triggered once every 2-3 minutes due to RPC being held up by LocalSystem; repeated rapid execution attempts will fail, which may affect detection timing thresholds. ↗
- ·The Trebuchet PoC was tested only on x64/x86 Windows 7 and Windows 8.1; applicability to other affected OS versions listed in the CVE (e.g., Server 2003, Vista, Server 2008/R2, Server 2012) should be independently verified. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmv6-6vx5-3643: The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and
ghsa_unreviewed·2022-05-14
CVE-2015-2370 [HIGH] GHSA-wmv6-6vx5-3643: The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and
The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."
Project0
Windows Exploitation Tricks: Relaying DCOM Authentication - Project Zero
project_zero·2021-10-01·CVSS 7.2
CVE-2015-2370 [HIGH] Windows Exploitation Tricks: Relaying DCOM Authentication - Project Zero
Posted by James Forshaw, Project Zero
In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it.
## Background
The technique to locally relay authentication for DCOM was something I originally reported back in 2015 (issue 325). This issue was
VulnCheck
Windows RPC Elevation of Privilege Vulnerability
vulncheck·2015·CVSS 7.2
CVE-2015-2370 [HIGH] Windows RPC Elevation of Privilege Vulnerability
Windows RPC Elevation of Privilege Vulnerability
The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://decoded.avast.io/martinchlumecky/dirtymoe-5/
Exploit PoC: https://vulncheck.com/xdb/7418f86c4ab
No detection rules found.
Talos
Microsoft Patch Tuesday – July 2015
blogs_talos·2015-07-14·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday – July 2015
## Microsoft Patch Tuesday – July 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.
## Bulletins Rated Critical MS15-065, MS15-066, MS15-067 and MS15-068 are rated Critical.
MS15-065 is this month’s Inte
Talos
Microsoft Patch Tuesday – July 2015
blogs_talos·2015-07-14·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday – July 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.
## Bulletins Rated CriticalMS15-065, MS15-066, MS15-067 and MS15-068 are rated Critical.
MS15-065 is this month’s Internet Explorer security bulletin with vuln
Zscaler
Zscaler found Multiple Security Vulnerabilities | 07-21-2015
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 07-21-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securitytracker.com/id/1032907https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-076https://www.exploit-db.com/exploits/37768/http://www.securitytracker.com/id/1032907https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-076https://www.exploit-db.com/exploits/37768/
2015-07-14
Published
Exploited in the wild