CVE-2016-0099
published 2016-03-09CVE-2016-0099: The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
37.16%
98.3th percentile
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for PowerShell processes launched with '-exec Bypass -nonI -window Hidden' flags, which is the exact command string used by the Metasploit MS16-032 module for CVE-2016-0099. ↗
- →Monitor for the exploit PowerShell script file 'cve_2016_0099.ps1' being written to or executed from disk, as dropped by the Metasploit module. ↗
- →Alert on calls to NtImpersonateThread combined with CreateProcessWithLogonW using LOGON_NETCREDENTIALS_ONLY (0x00000002) and CREATE_SUSPENDED (0x00000004) flags — this is the core exploit primitive for CVE-2016-0099. ↗
- →Monitor for DuplicateHandle calls targeting handle value 0x4 (the thread handle leaked from the Secondary Logon service svchost process), which is the specific handle value exploited in CVE-2016-0099 PoCs. ↗
- →Detect exploitation in the context of Trigona ransomware attacks: look for indicators of compromise on MSSQL servers exposed to the internet with weak passwords, as attackers use CVE-2016-0099 to escalate privileges after initial access. ↗
- →The exploit requires at least 2 CPU logical cores to succeed (race condition); alert on exploit tool output or logs referencing this check as a sign of active exploitation attempts. ↗
- →Monitor for SetThreadToken API calls in a tight loop (token race) against a suspended process spawned by CreateProcessWithLogonW — this is the privilege escalation race condition pattern for CVE-2016-0099. ↗
- ·The Metasploit module sets a default WfsDelay of 30 seconds and a TIMEOUT of 60 seconds before cleaning up the dropped PowerShell payload; detection windows must account for this short-lived artifact on disk. ↗
- ·The exploit only works on systems with PowerShell 2.0 or later AND two or more CPU cores; scanning for vulnerable assets should filter on these criteria to reduce false positives. ↗
- ·The C PoC must match OS bitness (32-bit vs 64-bit) and must be compiled with 'Any CPU' support (not 32-bit preferred); mismatched builds will fail silently. ↗
- ·The exploit does not work from Low Integrity Level (Low IL); it requires at minimum Medium IL to succeed. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows Vista SP2 up to Server 2012 R2 Secondary Login CreateProcessWithToken/CreateProcessWithLogon access control (MS16-032 / EDB-39574)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-0099 [HIGH] Microsoft Windows Vista SP2 up to Server 2012 R2 Secondary Login CreateProcessWithToken/CreateProcessWithLogon access control (MS16-032 / EDB-39574)
A vulnerability was found in Microsoft Windows Vista SP2 up to Server 2012 R2. It has been rated as problematic. This impacts the function CreateProcessWithToken/CreateProcessWithLogon of the component Secondary Login. This manipulation causes improper access controls.
This vulnerability is tracked as CVE-2016-0099. The attack is restricted to local execution. Moreover, an exploit is present.
Applying a patch is the recommended action to fix this issue.
GHSA
GHSA-fq5j-826m-h5wc: The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0099 [HIGH] CWE-120 GHSA-fq5j-826m-h5wc: The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0099 [HIGH] CWE-264 Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cyber.gov.au/sites/default/files/2023-03/report_manic_menagerie.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf; https://content.kaspersky-labs.com/fm/site-edit
CISA
Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2016-0099 [HIGH] CWE-264 Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-0099
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)
exploitdb·2016-07-13
CVE-2016-0099 Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)
Microsoft Windows 7 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
]
Exploit-DB
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032)
exploitdb·2016-04-25
CVE-2016-0099 Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032)
---
# Exploit Title: Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
# Date: 2016-04-25
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Original exploit: https://www.exploit-db.com/exploits/39719/
# All credits go to @FuzzySec
# C# version with @FuzzySec powershell code which does not rely on powershell.exe. Instead it runs from a powershell runspace environment (.NET). Helpful in security restricted environments with GPO, SRP, App Locker.
# To compile MS16-032 you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile with csc.exe.
# It uses the System.Management.Auto
Exploit-DB
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)
exploitdb·2016-04-21
CVE-2016-0099 Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
.DESCRIPTION
Author: Ruben Boonen (@FuzzySec)
Blog: http://www.fuzzysecurity.com/
License: BSD 3-Clause
Required Dependencies: PowerShell v2+
Optional Dependencies: None
.EXAMPLE
C:\PS> Invoke-MS16-032
#>
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpT
Exploit-DB
Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
exploitdb·2016-03-21
CVE-2016-0099 Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
---
/*
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=687
https://googleprojectzero.blogspot.ca/2016/03/exploiting-leaked-thread-handle.html
Windows: Secondary Logon Standard Handles Missing Sanitization EoP
Platform: Windows 8.1, Windows 10, not testing on Windows 7
Class: Elevation of Privilege
Summary:
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
Description:
The APIs CreateProcessWithToken and CreateProcessWithLogon are exposed to user applications, however the
Metasploit
MS16-032 Secondary Logon Handle Privilege Escalation
metasploit
MS16-032 Secondary Logon Handle Privilege Escalation
MS16-032 Secondary Logon Handle Privilege Escalation
This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
Wiz
Crying Out Cloud - April Newsletter | Wiz
blogs_wiz·2023-05-01·CVSS 7.8
[HIGH] Crying Out Cloud - April Newsletter | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## ✨ Highlights
## BrokenSesame : Accidental ‘write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database Services
Wiz Research has discovered a chain of critical vulnerabilities in two of Alibaba Cloud׳s popular services, AsparaDB RDS for PostrgreSQL and AnalyticDB for PostgreSQL. Dubbed "BrokenSesame", the vulnerabilities allowed unauthorized cross-tenant access to other customers` PostgreSQL databases and the ability to perform a supply-chai
Talos
China Chopper still active 9 years later
blogs_talos·2019-08-27
China Chopper still active 9 years later
By Paul Rascagneres and Vanja Svajcer.
### Introduction Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery.China Chopperis a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we've seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post.
We decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications provide
Talos
Microsoft Patch Tuesday - March 2016
blogs_talos·2016-03-08·CVSS 6.5
[MEDIUM] Microsoft Patch Tuesday - March 2016
## Microsoft Patch Tuesday - March 2016
Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.
## Bulletins Rated Critical Microsoft bulletins MS16-023, MS16-024, MS16-026 through MS16-028, and MS16-036 are rated as critical in this month's release.
MS16-023 and MS16-024 are this month's Internet Explorer and Edge securi
Talos
Microsoft Patch Tuesday - March 2016
blogs_talos·2016-03-08·CVSS 6.5
[MEDIUM] Microsoft Patch Tuesday - March 2016
Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.
### Bulletins Rated Critical Microsoft bulletins MS16-023, MS16-024, MS16-026 through MS16-028, and MS16-036 are rated as critical in this month's release.
MS16-023 and MS16-024 are this month's Internet Explorer and Edge security bulletin respectively. In total, 24 v
http://www.securityfocus.com/bid/84034http://www.securitytracker.com/id/1035210https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032https://www.exploit-db.com/exploits/39574/https://www.exploit-db.com/exploits/39719/https://www.exploit-db.com/exploits/39809/https://www.exploit-db.com/exploits/40107/http://www.securityfocus.com/bid/84034http://www.securitytracker.com/id/1035210https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032https://www.exploit-db.com/exploits/39574/https://www.exploit-db.com/exploits/39719/https://www.exploit-db.com/exploits/39809/https://www.exploit-db.com/exploits/40107/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0099
2016-03-09
Published
2022-03-03
Added to CISA KEV
Exploited in the wild