cbcvebase.
CVE-2016-3309
published 2016-08-09

CVE-2016-3309: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2…

PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
20.63%
97.2th percentile
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/siberas/CVE-2016-3309_Reloaded
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42960.zip
  • The CVE-2016-3309 exploit debug strings were reused in the CVE-2021-40449 (MysterySnail) exploit; presence of these strings in a Win32k exploit binary is a strong indicator of IronHusky/MysterySnail tooling.
  • MysterySnail RAT copies cmd.exe to the temp folder under a different name before launching an interactive shell (command ID 0x1F4); monitor for cmd.exe spawned from %TEMP% with a renamed binary.
  • Exploit targets the win32kfull!bFill pool overflow; monitor for pool corruption events or unexpected kernel pool allocations originating from win32kfull.sys on Windows 10 x64 build 15063.
  • Kaspersky detection verdicts for the exploit and payload are PDM:Exploit.Win32.Generic, PDM:Trojan.Win32.Generic, and Trojan.Win64.Agent*; use these as hunt strings in AV telemetry.
  • MysterySnail RAT communicates using a binary protocol over SSL; all C2 traffic is SSL-encrypted with a fixed header layout (offset 0: data size, offset 4: session ID, offset 8: command ID, offset 0xC: additional data).
  • ·The public PoC exploit (EDB-42960) targets specifically Windows 10 x64 Creators Update build 15063.540; it may not function on other builds without modification.
  • ·The information disclosure portion of the CVE-2021-40449 exploit chain (kernel module base address leakage via NtQuerySystemInformation/EnumDeviceDrivers from Medium IL) was assessed by Microsoft as not bypassing a security boundary and was NOT patched.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.