cbcvebase.
CVE-2015-6128
published 2015-12-09

CVE-2015-6128: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandle library loading, which allows local users to gain privileges via a…

PriorityP261high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
81.89%
99.6th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenameels.dll
filenameelsext.dll
filenameplanted.doc
other{394c052e-b830-11d0-9a86-00c04fd8dbf7}
other{975797fc-4e2a-11d0-b702-00c04fd8dbf7}
other{f778c6b4-c08b-11d2-976c-00c04f79db19}
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38918.zip
  • Monitor for LoadLibraryW calls originating from els.dll (els!DllGetClassObject) loading elsext.dll from the current working directory of winword.exe, indicating a DLL planting attack.
  • Detect OLE objects in Office documents or RTF files referencing CLSIDs {394c052e-b830-11d0-9a86-00c04fd8dbf7}, {975797fc-4e2a-11d0-b702-00c04fd8dbf7}, or {f778c6b4-c08b-11d2-976c-00c04f79db19} as these are abused to trigger els.dll loading.
  • Alert on ole32!OleLoad being invoked on the vulnerable CLSIDs, which triggers the DLL planting chain through CClassCache into els!DllGetClassObject.
  • ·The DLL planting attack requires the malicious elsext.dll to be placed in the same directory as the crafted document (current working directory of Word), so the attack surface is limited to scenarios where an attacker can write to that directory.
  • ·The no-click RTF trigger does not require user interaction beyond opening the document, making it more dangerous than the single-click OLE object variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.