CVE-2015-6132
published 2015-12-09CVE-2015-6132: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and…
PriorityP261high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
84.70%
99.7th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OLE documents embedding CLSID {ecabafc9-7f19-11d2-978e-0000f8757e2a} (CQueueAdmin / comsvcs.dll) — presence of this CLSID in a Word .doc or RTF file is a strong indicator of CVE-2015-6132 exploitation. ↗
- →Monitor for RTF files containing the \oleclsid tag with value ecabafc9-7f19-11d2-978e-0000f8757e2a, which triggers the DLL load without requiring a user click. ↗
- →Alert on WINWORD.EXE or other Office processes loading mqrt.dll from the document's working directory (i.e., not from System32/SysWOW64) via kernelbase!LoadLibraryExA — this indicates DLL planting via comsvcs.dll delay-load. ↗
- →Watch for the call chain: ole32!OleLoad → comsvcs!CQueueAdmin::FinalConstruct → comsvcs!_tailMerge_mqrt_dll → KERNELBASE!LoadLibraryExA loading mqrt.dll from a non-system path. ↗
- →Flag suspicious .doc files with an OLE object at offset 0x2650 containing the CQueueAdmin CLSID bytes (c9 af ab ec 19 7f d2 11 97 8e 00 00 f8 75 7e 2a in little-endian). ↗
- ·The exploit was confirmed on Office 2010 on Windows 7 x86 and Office 2013 on Windows 7 x64; other platform combinations were not tested by the researcher. ↗
- ·Beyond mqrt.dll, comsvcs.dll delay-loads 15 additional DLLs (ADVAPI32.dll, CLBCatQ.DLL, CRYPTSP.dll, dbghelp.dll, ODBC32.dll, etc.) that could also be abused as planting targets via the same CLSID vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
exploitdb·2015-12-14
CVE-2015-6132 Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=556
It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll.
When a user op
Exploit-DB
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
exploitdb·2015-12-08
CVE-2016-3235 Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
---
require 'zip'
require 'base64'
require 'msf/core'
require 'rex/ole'
class MetasploitModule 'Office OLE Multiple DLL Side Loading Vulnerabilities',
'Description' => %q{
Multiple DLL side loading vulnerabilities were found in various COM components.
These issues can be exploited by loading various these components as an embedded
OLE object. When instantiating a vulnerable object Windows will try to load one
or more DLLs from the current working directory. If an attacker convinces the
victim to open a specially crafted (Office) document from a directory also
containing the attacker's DLL file, it is possible to execute arbitrary code with
the privileges of the ta
Metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
### Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilit
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
## Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
## Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulle
http://www.securitytracker.com/id/1034338https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-132https://www.exploit-db.com/exploits/38968/http://www.securitytracker.com/id/1034338https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-132https://www.exploit-db.com/exploits/38968/
2015-12-09
Published