CVE-2016-0051
published 2016-02-10CVE-2016-0051: The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT…
PriorityP278high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
23.38%
97.5th percentile
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets mrxdav.sys (WebDAV kernel driver) on Windows 7 SP1 x86 only; 64-bit and WOW64 processes are explicitly unsupported and will fail ↗
- →Exploit spawns notepad.exe as a host process for reflective DLL injection; monitor for notepad.exe spawning from unusual parent processes or loading unexpected DLLs ↗
- →Exploit uses reflective DLL injection of cve-2016-0051.x86.dll into a spawned process; detect reflective DLL injection patterns or the specific DLL name on disk ↗
- →Exploit creates a fake WebDAV server on a random high port (1024–65535) on loopback and uses WNetAddConnection2 to connect to \\127.0.0.1@<port>\folder\; monitor for WebDAV connections to loopback addresses ↗
- →Exploit calls NtFsControlFile with FSCTL code 0x900DB against a WebDAV file handle; this specific FSCTL code is the trigger for the privilege escalation vulnerability ↗
- →Exploit allocates memory at fixed low address 0x1000 using NtAllocateVirtualMemory (NULL-page style allocation); detect low virtual address allocations in user-mode processes ↗
- →Whitefly threat actor (G0107) used an open-source tool exploiting CVE-2016-0051 for privilege escalation on unpatched Windows systems in targeted espionage campaigns
- →Successful exploitation results in NT AUTHORITY\SYSTEM; monitor for unexpected SYSTEM-level process creation (e.g., cmd.exe spawned as SYSTEM from a non-SYSTEM parent) ↗
- ·Metasploit module only supports Windows 7 SP1 x86; explicitly fails against 64-bit and WOW64 targets ↗
- ·Exploit requires an existing Meterpreter session (local privilege escalation only, not remote code execution) ↗
- ·PoC C# exploit requires shellcode.dll to be present alongside the executable on the target machine ↗
- ·Running the exploit from a shell (non-RDP) session causes the privileged shell to spawn in a new GUI window, not in the current session ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2g29-x8pf-59pq: The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0051 [HIGH] GHSA-2g29-x8pf-59pq: The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
VulnCheck
WebDAV Elevation of Privilege Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0051 [HIGH] WebDAV Elevation of Privilege Vulnerability
WebDAV Elevation of Privilege Vulnerability
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
Exploit PoC: https://vulncheck.com/xdb/0661e358e96a; ht
No detection rules found.
Exploit-DB
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)
exploitdb·2016-07-11
CVE-2016-0051 Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class MetasploitModule 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
'Description' => %q{
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
the specified payload within the context of the elevated process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tamas Koczka', # Original Exploit
'William Webb ' # C port and Met
Exploit-DB
Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)
exploitdb·2016-05-09·CVSS 7.8
CVE-2016-0051 [HIGH] Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)
Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)
---
# Exploit Title: WebDAV Elevation of Privilege Vulnerability (MS16)-2
# Date: 8/5/2016
# Exploit Author: hex0r
# Version:WebDAV on Windows 7 84x
# CVE : CVE-2016-0051
Intro:
Credits go to koczkatama for coding a PoC, however if you run this exploit
from shell connection, not a remote desktop, the result will be getting the
privileged shell in new GUI windows.
Again Thanks to
https://github.com/koczkatamas/CVE-2016-0051
https://www.exploit-db.com/exploits/39432/
PoC:
Download the source code (C#) also there will be compiled version as well,
copy the dll file and the executable to the target machine, run it to get
SYSTEM,
Proof of Concept:
https://github.com/hexx0r/CVE-2016-0051
https://gitlab.com/exploit-da
Exploit-DB
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)
exploitdb·2016-02-10·CVSS 7.8
CVE-2016-0051 [HIGH] Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)
---
/*
source: https://github.com/koczkatamas/CVE-2016-0051
Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016).
Full Proof of Concept:
- https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39432-1.zip
Elevation of Privilege (SYSTEM) exploit for CVE-2016-0051 (MS16-016) for Windows 7 SP1 x86 (build 7601)
Creator: Tamás Koczka (@koczkatamas - https://twitter.com/koczkatamas)
Original source: https://github.com/koczkatamas/CVE-2016-0051
*/
using System;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Runtime.Interop
Metasploit
MS16-016 mrxdav.sys WebDav Local Privilege Escalation
metasploit
MS16-016 mrxdav.sys WebDav Local Privilege Escalation
MS16-016 mrxdav.sys WebDav Local Privilege Escalation
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.
Dfir Report
Inside the Open Directory of the “You Dun” Threat Group
blogs_dfir_report·2024-10-28
Inside the Open Directory of the “You Dun” Threat Group
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Talos
Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability
blogs_talos·2016-07-21·CVSS 7.8
CVE-2016-1513 [HIGH] Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability
## Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability
This vulnerability was discovered by Richard Johnson and Yves Younan of Cisco Talos.
Talos is releasing an advisory for a vulnerability in OpenOffice Impress. ( TALOS-2016-0051 /CVE-2016-1513). Talos has discovered an exploitable out-of-bounds vulnerability which exists in OpenOffice when handling MetaActions. A specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file can cause an out-of-bounds read/write resulting in denial-of-service (memory corruption and application crash) and possible execution of arbitrary code.
## Overview
OpenOffice is an open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and other office f
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin resp
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
## Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Inter
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-09-2016
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 02-09-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Whitefly (Whitefly)
threat_intel·CVSS 7.8
[HIGH] Whitefly (Whitefly)
# Threat Actor Profile: Whitefly
ATT&CK ID: G0107
Also known as: Whitefly
## Overview
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: Whitefly has obtained and used tools such as Mimikatz.(Citation: Symantec Whitefly March 2019)
### Execution
- T1059 Command and Scripting Interpreter
Usage: Whitefly has used a simple remote shell tool that will call back to the C2 se
http://www.securitytracker.com/id/1034980https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-016https://www.exploit-db.com/exploits/39432/https://www.exploit-db.com/exploits/39788/https://www.exploit-db.com/exploits/40085/http://www.securitytracker.com/id/1034980https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-016https://www.exploit-db.com/exploits/39432/https://www.exploit-db.com/exploits/39788/https://www.exploit-db.com/exploits/40085/
2016-02-10
Published
Exploited in the wild