CVE-2015-6128
published 2015-12-09CVE-2015-6128: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandle library loading, which allows local users to gain privileges via a…
PriorityP261high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
81.89%
99.6th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for LoadLibraryW calls originating from els.dll (els!DllGetClassObject) loading elsext.dll from the current working directory of winword.exe, indicating a DLL planting attack. ↗
- →Detect OLE objects in Office documents or RTF files referencing CLSIDs {394c052e-b830-11d0-9a86-00c04fd8dbf7}, {975797fc-4e2a-11d0-b702-00c04fd8dbf7}, or {f778c6b4-c08b-11d2-976c-00c04f79db19} as these are abused to trigger els.dll loading. ↗
- →Alert on ole32!OleLoad being invoked on the vulnerable CLSIDs, which triggers the DLL planting chain through CClassCache into els!DllGetClassObject. ↗
- ·The DLL planting attack requires the malicious elsext.dll to be placed in the same directory as the crafted document (current working directory of Word), so the attack surface is limited to scenarios where an attacker can write to that directory. ↗
- ·The no-click RTF trigger does not require user interaction beyond opening the document, making it more dangerous than the single-click OLE object variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
exploitdb·2015-12-09
CVE-2015-6128 Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=514
It is possible for an attacker to execute a DLL planting attack in Microsoft Office with a specially crafted OLE object. Testing was performed on a Windows 7 x64 virtual machine with Office 2013 installed and the latest updates applied. The attached POC document "planted.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {394c052e-b830-11d0-9a86-00c04fd8dbf7} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of els.dll. Other options include: {975797fc-4e2a-11d0-b702-00c04fd8dbf7} and {f778c6b4-c08b-11d2-976c-00
Exploit-DB
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
exploitdb·2015-12-08
CVE-2016-3235 Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
---
require 'zip'
require 'base64'
require 'msf/core'
require 'rex/ole'
class MetasploitModule 'Office OLE Multiple DLL Side Loading Vulnerabilities',
'Description' => %q{
Multiple DLL side loading vulnerabilities were found in various COM components.
These issues can be exploited by loading various these components as an embedded
OLE object. When instantiating a vulnerable object Windows will try to load one
or more DLLs from the current working directory. If an attacker convinces the
victim to open a specially crafted (Office) document from a directory also
containing the attacker's DLL file, it is possible to execute arbitrary code with
the privileges of the ta
Metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
### Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilit
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
## Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
## Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulle
http://www.securityfocus.com/bid/78612http://www.securitytracker.com/id/1034338https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-132https://www.exploit-db.com/exploits/38918/http://www.securityfocus.com/bid/78612http://www.securitytracker.com/id/1034338https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-132https://www.exploit-db.com/exploits/38918/
2015-12-09
Published