cbcvebase.
CVE-2016-0016
published 2016-01-13

CVE-2016-0016: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and…

PriorityP260high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
31.09%
98.0th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka "DLL Loading Remote Code Execution Vulnerability."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filenameWMALFXGFXDSP.dll
filenamemfplat.dll
filenameplanted-mfplat.doc
other{62dc1a93-ae24-464c-a43e-452f824c4250}
other{637c490d-eee3-4c0a-973f-371958802da2}
other{874131cb-4ecc-443b-8948-746b89595d20}
other{96749377-3391-11D2-9EE3-00C04F797396}
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39233.zip
  • Monitor for LoadLibraryW calls originating from WMALFXGFXDSP!DllGetClassObject loading 'mfplat' from the current working directory (CWD) of Microsoft Word, indicating DLL planting via a malicious OLE/RTF document.
  • Alert on ole32!OleLoad being invoked for CLSIDs {62dc1a93-ae24-464c-a43e-452f824c4250}, {637c490d-eee3-4c0a-973f-371958802da2}, {874131cb-4ecc-443b-8948-746b89595d20}, or {96749377-3391-11D2-9EE3-00C04F797396}, all of which have InProcServer32 pointing to WMALFXGFXDSP.dll.
  • Detect mfplat.dll being loaded from the same directory as a Word document (CWD) rather than from System32, as this indicates a successful DLL planting attack via this vulnerability.
  • ·The exploit requires the malicious DLL (mfplat.dll) to be placed in the same directory as the crafted document; the attack vector is local/network share delivery of both the document and the planted DLL together.
  • ·The RTF-based trigger requires no user interaction beyond opening the document (no click needed), making it more dangerous than the OLE packager variant which requires a single click on the embedded icon.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.