CVE-2015-2553
published 2015-10-14CVE-2015-2553: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows…
PriorityP337high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
3.26%
86.8th percentile
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 mishandles junctions during mountpoint creation, which makes it easier for local users to gain privileges by leveraging certain sandbox access, aka "Windows Mount Point Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
exploitdb·2016-01-25·CVSS 7.2
CVE-2016-0007 [HIGH] Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=573
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux
Platform: Windows 10, not tested any other OS
Class: Security Feature Bypass
Summary:
The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks.
Description:
Not sure if this is the only way but you can bypass the fix (which limited ProcessDeviceMap in a sandbox) by instead abusing shadow object directories. NtCreateObjectDirectoryEx takes an additional parameter of a handle to a shadow directory which works similar to the ?? -> GLOBAL?? fallback. If you can create a named object d
Exploit-DB
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
exploitdb·2016-01-25·CVSS 7.2
CVE-2016-0007 [HIGH] Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=589
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2
Platform: Windows 8.1, not tested any other OS
Class: Security Feature Bypass
Summary:
The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks by abusing anonymous token impersonation.
Description:
This is another way of bypassing fix introduced in CVE-2015-2553 to block access to creating mount point reparse points. In this case instead of using the per-process device map directory we can use the fact that the anonymous token can support a per-user device map directory. If thi
Exploit-DB
Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)
exploitdb·2015-10-15
CVE-2015-2553 Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)
Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=486
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass
Platform: Windows 10 (build 10240), earlier versions do not have the functionality
Class: Security Feature Bypass
Summary:
A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed.
Description:
Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox.
In earlier builds on W
Talos
Microsoft Patch Tuesday - October 2015
blogs_talos·2015-10-13·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - October 2015
## Microsoft Patch Tuesday - October 2015
Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.
## Bulletins Rated Critical MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.
MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabil
Talos
Microsoft Patch Tuesday - October 2015
blogs_talos·2015-10-13·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - October 2015
Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.
### Bulletins Rated Critical MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.
MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them bei
http://packetstormsecurity.com/files/133971/Windows-Sandboxed-Mount-Reparse-Point-Creation-Mitigation-Bypass.htmlhttp://www.securitytracker.com/id/1033805https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-111https://www.exploit-db.com/exploits/38474/http://packetstormsecurity.com/files/133971/Windows-Sandboxed-Mount-Reparse-Point-Creation-Mitigation-Bypass.htmlhttp://www.securitytracker.com/id/1033805https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-111https://www.exploit-db.com/exploits/38474/
2015-10-14
Published