CVE-2016-3225
published 2016-06-16CVE-2016-3225: The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…
PriorityP278high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.49%
98.6th percentile
The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka "Windows SMB Server Elevation of Privilege Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check for SeImpersonatePrivilege on service accounts; the exploit explicitly requires and checks for this privilege before proceeding. ↗
- →Detect reflective DLL injection of rottenpotato.x64.dll or rottenpotato.x86.dll into a hidden notepad.exe process spawned from a Meterpreter session. ↗
- →Monitor for Net-NTLMv2 authentication requests being forwarded/reflected between DCOM/RPC services on the same host, which is the core exploitation mechanism. ↗
- →Alert on CLSID-based DCOM activation requests originating from low-privileged service accounts that result in SYSTEM-level token impersonation (Juicy Potato variant requires a CLSID string). ↗
- →Audit for use of the Meterpreter incognito module following exploitation, as the exploit guide recommends token impersonation post-shell. ↗
- ·The Juicy Potato variant (ms16_075_reflection_juicy) requires a valid CLSID string to be supplied; without it the exploit will not function. ↗
- ·Windows 10 builds after 1803 (build 17134) and all Windows Server 2019 versions are NOT vulnerable to the Juicy Potato variant. ↗
- ·WOW64 sessions are explicitly unsupported; session architecture must match target architecture or the exploit will abort. ↗
- ·The exploit requires the attacker to already have a valid local logon session; remote exploitation is not possible. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows SMB Server Elevation of Privilege Vulnerability
vendor_msrc·2016-06-14·CVSS 7.8
CVE-2016-3225 [HIGH] Windows SMB Server Elevation of Privilege Vulnerability
Windows SMB Server Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the Microsoft Server Message Block (SMB) when an attacker forwards an authentication request intended for another service running on the same machine. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions.
To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses the vulnerability by correcting how Windows SMB handles credential-forwarding requests.
FAQ: Why is security update 3161561 in this bulletin also denoted in MS16-076?
Securi
GHSA
GHSA-pwj2-59p8-97h2: The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3225 [HIGH] GHSA-pwj2-59p8-97h2: The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka "Windows SMB Server Elevation of Privilege Vulnerability."
VulnCheck
Windows SMB Server Elevation of Privilege Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-3225 [HIGH] Windows SMB Server Elevation of Privilege Vulnerability
Windows SMB Server Elevation of Privilege Vulnerability
The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka "Windows SMB Server Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cyber.gov.au/sites/default/files/2023-03/report_manic_menagerie.pdf
Exploit PoC: https://vulncheck.com/xdb/d3e5abe2a86a
No detection rules found.
Exploit-DB
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
exploitdb·2018-10-08
CVE-2016-3225 Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/windows/reflective_dll_injection'
class MetasploitModule 'Windows Net-NTLMv2 Reflection DCOM/RPC',
'Description' => %q(
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC
to achieve a SYSTEM handle for elevation of privilege. Currently the module
does not spawn as SYSTEM, however once achieving a shell, one can easily
use incognito to impersonate the token.
),
'License' => MSF_LICENSE,
'Author' =>
[
'FoxGloveSec', # the original Potato exploit
'breenmachine', # Rotten Potato NG!
'Mumbai' # Austin : port of RottenPotato for reflection & quick module
],
'
Metasploit
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
metasploit
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. Windows 10 after version 1803, (April 2018 update, build 17134) and all versions of Windows Server 2019 are not vulnerable.
Metasploit
Windows Net-NTLMv2 Reflection DCOM/RPC
metasploit
Windows Net-NTLMv2 Reflection DCOM/RPC
Windows Net-NTLMv2 Reflection DCOM/RPC
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
http://www.securitytracker.com/id/1036110https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-075https://www.exploit-db.com/exploits/45562/http://www.securitytracker.com/id/1036110https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-075https://www.exploit-db.com/exploits/45562/
2016-06-16
Published
Exploited in the wild