cbcvebase.
CVE-2016-0151
published 2016-04-12

CVE-2016-0151: The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages…

PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
63.20%
99.1th percentile
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2012
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems
msrcwindows_10_version_1511_for_32-bit_systems
msrcwindows_10_version_1511_for_x64-based_systems
msrcwindows_8.1_for_32-bit_systems
msrcwindows_8.1_for_x64-based_systems
msrcwindows_rt_8.1
msrcwindows_server_2012
msrcwindows_server_2012_r2

Detection & IOCsextracted from sources · hover to see the quote

commandedit.com
otherCsrClientCallServer opcode 0x10010005
processnotepad.exe (spawned via CreateProcessWithLogonW as session-0 elevated process)
  • Hook of CsrClientCallServer in kernel32.dll's IAT (patching ntdll.dll import) is a key exploit behaviour; monitor for IAT patching of kernel32.dll targeting ntdll!CsrClientCallServer at runtime.
  • Exploit calls ImpersonateAnonymousToken on the current thread immediately before invoking CsrClientCallServer with opcode 0x10010005 (BaseSrvCheckVDM); detect ImpersonateAnonymousToken followed by CsrClientCallServer calls from non-system processes.
  • Exploit spawns a 16-bit executable (edit.com) to trigger the BaseSrvCheckVDM CSRSS RPC path; alert on CreateProcess calls for edit.com or other 16-bit executables from non-legacy contexts on 32-bit Windows 8.1/10.
  • Exploit uses NtGetNextProcess with MAXIMUM_ALLOWED to enumerate all processes after impersonating the anonymous token; detect NtGetNextProcess calls from user-mode processes combined with prior anonymous token impersonation.
  • Exploit modifies the anonymous token's DefaultDacl using the SDDL string granting GA to Everyone (WD) and Anonymous (AN) before passing it as the process token; this SDDL pattern is a strong indicator of exploitation.
  • Exploit directly manipulates the TEB (fs:[0x18] + 0x20) to overwrite the process ID field, enabling session-0 process creation abuse; this inline assembly pattern in user-mode code is highly suspicious.
  • ·The exploit only works on 32-bit Windows; it explicitly exits if running under WOW64 or on 64-bit Windows.
  • ·The vulnerability is exploitable only when the VDM (Virtual DOS Machine) is disabled (default on 32-bit Windows 8 and above), which causes CSRSS to spawn the helper process that triggers the vulnerable code path.
  • ·Exploitation requires the attacker to already be logged on locally; this is a local privilege escalation, not a remote vector.
  • ·The PoC was tested on Windows 8.1 only; behaviour on Windows 10 or Windows 7 was not confirmed by the researcher.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.