CVE-2016-0100
published 2016-03-09CVE-2016-0100: Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library…
PriorityP266high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EXPLOIT
EPSS
58.01%
99.0th percentile
Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library Loading Input Validation Remote Code Execution Vulnerability."
CVSS provenance
nvdv3.08.4HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
exploitdb·2015-12-08
CVE-2016-3235 Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
---
require 'zip'
require 'base64'
require 'msf/core'
require 'rex/ole'
class MetasploitModule 'Office OLE Multiple DLL Side Loading Vulnerabilities',
'Description' => %q{
Multiple DLL side loading vulnerabilities were found in various COM components.
These issues can be exploited by loading various these components as an embedded
OLE object. When instantiating a vulnerable object Windows will try to load one
or more DLLs from the current working directory. If an attacker convinces the
victim to open a specially crafted (Office) document from a directory also
containing the attacker's DLL file, it is possible to execute arbitrary code with
the privileges of the ta
Metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
Talos
Microsoft Patch Tuesday - March 2016
blogs_talos·2016-03-08·CVSS 6.5
[MEDIUM] Microsoft Patch Tuesday - March 2016
## Microsoft Patch Tuesday - March 2016
Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.
## Bulletins Rated Critical Microsoft bulletins MS16-023, MS16-024, MS16-026 through MS16-028, and MS16-036 are rated as critical in this month's release.
MS16-023 and MS16-024 are this month's Internet Explorer and Edge securi
Talos
Microsoft Patch Tuesday - March 2016
blogs_talos·2016-03-08·CVSS 6.5
[MEDIUM] Microsoft Patch Tuesday - March 2016
Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.
### Bulletins Rated Critical Microsoft bulletins MS16-023, MS16-024, MS16-026 through MS16-028, and MS16-036 are rated as critical in this month's release.
MS16-023 and MS16-024 are this month's Internet Explorer and Edge security bulletin respectively. In total, 24 v
Bugzilla
CVE-2016-2545 kernel: sound: use-after-free in snd_timer_interrupt
bugzilla·2016-02-24·CVSS 5.1
CVE-2016-2545 [MEDIUM] CVE-2016-2545 kernel: sound: use-after-free in snd_timer_interrupt
CVE-2016-2545 kernel: sound: use-after-free in snd_timer_interrupt
ALSA timer instance object has a couple of linked lists and they are unlinked unconditionally at snd_timer_stop(). Meanwhile snd_timer_interrupt() unlinks it, but it calls list_del() which leaves the element list itself unchanged. This ends up with unlinking twice, and it was caught by syzkaller fuzzer.
Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee8413b01045c74340aa13ad5bdf905de32be736
CVE-ID request and assignment:
http://seclists.org/oss-sec/2016/q1/133
http://seclists.org/oss-sec/2016/q1/410
Discussion:
This was fixed with 4.3.5 with:
commit baa3a675b24fe17d5e514d71561d97f46bc6086f
Author: Takashi Iwai
Date: Wed Jan 13 21:35:06 2016 +0100
ALSA: timer: Fix double un
Bugzilla
CVE-2016-2544 kernel: sound: use-after-free in snd_timer_stop
bugzilla·2016-02-24·CVSS 5.1
CVE-2016-2544 [MEDIUM] CVE-2016-2544 kernel: sound: use-after-free in snd_timer_stop
CVE-2016-2544 kernel: sound: use-after-free in snd_timer_stop
ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result.
Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3567eb6af614dac436c4b16a8d426f9faed639b3
External references:
http://www.spinics.net/lists/alsa-devel/msg45102.html
https://lkml.org/lkml/2016/1/12/465
CVE-ID request and assignment:
http://seclists.org/oss-sec/2016/q1/133
http://seclists.org/oss-sec/2016/q1/410
Discussion:
This was fixed in 4.3.6 with:
commit 5a5c8e77d66f24446b7e741ac2e3ae3127d9dd54
Author: Takashi Iwai
Date: Tue Jan 12 15:36:27 2016 +0100
ALSA: seq: Fix race at timer setup and
Bugzilla
CVE-2016-2546 kernel: sound: GPF in snd_timer_user_params
bugzilla·2016-02-24·CVSS 5.1
CVE-2016-2546 [MEDIUM] CVE-2016-2546 kernel: sound: GPF in snd_timer_user_params
CVE-2016-2546 kernel: sound: GPF in snd_timer_user_params
ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl.
Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=af368027a49a751d6ff4ee9e3f9961f35bb4fede
CVE-ID request and assignment:
http://seclists.org/oss-sec/2016/q1/133
http://seclists.org/oss-sec/2016/q1/410
Discussion:
This was fixed in 4.3.5 with
commit 7066da22b1eb40e955f9dfe57022816fae53d3cf
Author: Takashi Iwai
Date: Wed Jan 13 17:48:01 2016 +0100
ALSA: timer: Fix race among timer ioctls
commit af368027a49a751d6ff4ee9e3f99
Bugzilla
CVE-2016-2548 kernel: sound: linked lists of slave instances not unlinked immediately
bugzilla·2016-02-24·CVSS 5.1
CVE-2016-2548 [MEDIUM] CVE-2016-2548 kernel: sound: linked lists of slave instances not unlinked immediately
CVE-2016-2548 kernel: sound: linked lists of slave instances not unlinked immediately
Some linked lists (active_list and ack_list) of slave instances
aren't unlinked immediately at stopping or closing, and this may lead
to unexpected accesses.
Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d
External references:
http://seclists.org/oss-sec/2016/q1/133
Discussion:
This is an identical fix to bug 1311566
This was fixed in 4.3.5 with:
commit ea7f3d59628930dc29482a292e2a55c81cac52a4
Author: Takashi Iwai
Date: Thu Jan 14 16:30:58 2016 +0100
ALSA: timer: Harden slave timer list handling
commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.
and in 4.4.1 with:
commit 8eff3aa0a9bbb593dce0ec0344ec1961
Bugzilla
CVE-2016-2543 kernel: sound: GPF in snd_seq_fifo_clear
bugzilla·2016-02-24·CVSS 6.2
CVE-2016-2543 [MEDIUM] CVE-2016-2543 kernel: sound: GPF in snd_seq_fifo_clear
CVE-2016-2543 kernel: sound: GPF in snd_seq_fifo_clear
A null dereference vulnerability was found in the Linux kernel. Function snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check.
Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=030e2c78d3a91dd0d27fef37e91950dde333eba1
External references:
https://lkml.org/lkml/2016/1/12/215
CVE-ID request and assignment:
http://seclists.org/oss-sec/2016/q1/133
http://seclists.org/oss-sec/2016/q1/410
Discussion:
This was fixed in 4.3.5 with:
commit 6f54677f06bf3fd3c3f327d14ded94a0330d8d0c
Author: Takashi Iwai
Date: Tue Jan 12 12:38:02 2016 +0100
ALSA: seq:
http://www.securityfocus.com/bid/83930http://www.securitytracker.com/id/1035205https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-025http://www.securityfocus.com/bid/83930http://www.securitytracker.com/id/1035205https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-025
2016-03-09
Published