CVE-2016-7255
published 2016-11-10CVE-2016-7255: The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…
PriorityP187high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
80.97%
99.6th percentile
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2016-7255 was exploited in the wild as a local privilege escalation via a crafted application targeting Win32k kernel-mode drivers; it was delivered chained with CVE-2016-7855 (Adobe Flash) via the DealersChoice exploitation platform using malicious RTF documents containing embedded OLE Word documents with embedded SWF files. ↗
- →DealersChoice uses the OfficeTestSideloading technique to sideload DLL files via a performance test module built into Microsoft Office suite for persistence; hunt for abnormal DLL loads from Office processes. ↗
- →APT32 has used CVE-2016-7255 for privilege escalation; correlate Win32k EoP exploitation attempts with APT32 TTPs including process injection into Rundll32.exe and Cobalt Strike beacon activity.
- →The C2 server applies geolocation filtering — requests from US/Western IPs receive no response while Middle Eastern IPs receive the malicious SWF and payload. Sandbox detonation from non-targeted geographies may yield no response. ↗
- →MS16-135 is the patch for CVE-2016-7255; prioritize patching as the vulnerability was publicly disclosed and actively exploited at time of patch release. ↗
- ·The DealersChoice C2 servers (versiontask[.]com, postlkwarn[.]com) randomly generate k1/k2/k3/k4 encryption tokens per request, so network signatures based on specific token values will not be reliable. ↗
- ·The Seduploader payload hashes and C2 domains (apptaskserver[.]com, appservicegroup[.]com, joshel[.]com, akamaisoftupdate[.]com) are associated with the broader DealersChoice/Sofacy campaign delivering CVE-2016-7255 as a privilege escalation component, not the CVE-2016-7255 exploit binary itself. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2016-7255 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Successful exploitation allows an attacker to run code in kernel mode.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-7255
Remediation Due Date: 2022-05-03
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2016-11-08·CVSS 6.1
CVE-2016-7255 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Windows Kernel-Mode Drivers: Windows Kernel-Mode D
GHSA
GHSA-6rfx-wjcx-jvgf: The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-7255 [HIGH] GHSA-6rfx-wjcx-jvgf: The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Project0
TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln - Project Zero
project_zero·2020-04-01·CVSS 7.8
CVE-2016-7255 [HIGH] TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln - Project Zero
Posted by Maddie Stone, Project Zero
INTRODUCTION
I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post.
On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a blog post on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I n
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-7255 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Successful exploitation allows an attacker to run code in kernel mode.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Nov; https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf; https://www.fireeye.com/blog/threat-research
No detection rules found.
Exploit-DB
Microsoft Windows - 'Win32k' Local Privilege Escalation
exploitdb·2019-05-15·CVSS 7.8
CVE-2019-0803 [HIGH] Microsoft Windows - 'Win32k' Local Privilege Escalation
Microsoft Windows - 'Win32k' Local Privilege Escalation
---
# CVE-2019-0803
Win32k Elevation of Privilege Poc
Reference
(steal Security token) https://github.com/mwrlabs/CVE-2016-7255
EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46920.zip
Exploit-DB
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)
exploitdb·2017-01-08·CVSS 7.8
CVE-2016-7255 [HIGH] Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)
---
/*
Source: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html
Binary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe
Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41015.exe
*/
// ricklarabee.blogspot.com
//This program is free software; you can redistribute it and/or
//modify it under the terms of the GNU General Public License
//as published by the Free Software Foundation.
//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNES
Exploit-DB
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1)
exploitdb·2016-11-24
CVE-2016-7255 Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1)
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1)
---
Complete Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip
Presentation:
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf
I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016
Requirements
Intel Processor (Haswell or newer)
Windows 10 x64
Usage
Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:
C:\Users\qa\Desktop>ASLRSideChannelAttack.exe
+] Setting thread affinity to CPU 0
+] Getting all the potential PML4 SelfRef
+] Mapping a page oracle
+] Allocating probing target pages...
Allocation 0: 000002
Exploit-DB
Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)
exploitdb·2016-11-09·CVSS 7.8
CVE-2016-7255 [HIGH] Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)
Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)
---
/*
Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255
Full Proof of Concept:
https://github.com/tinysec/public/tree/master/CVE-2016-7255
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40745.zip
Created: 2016-11-09 14:23:09
Filename: main.c
Author: root[at]TinySec.net
Version 0.0.0.1
Purpose: poc of cve-2016-0075
*/
#include
#include
#include
#include
//////////////////////////////////////////////////////////////////////////
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
#undef DbgPrint
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
CHAR* pszDbgBuff = NU
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
Exploit Developer Spotlight: The Story of PlayBit
blogs_checkpoint·2020-10-26·CVSS 7.8
CVE-2018-8453 [HIGH] Exploit Developer Spotlight: The Story of PlayBit
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploit Developer Spotlight: The Story of PlayBit
Research By: Eyal Itkin and Itay Cohen
## Introduction
Exploits have always been an important and integral part of malicious attacks.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
The zero-day exploits of Operation WizardOpium
blogs_securelist·2020-05-28·CVSS 8.8
[HIGH] The zero-day exploits of Operation WizardOpium
Table of Contents
- Google Chrome remote code execution exploit
- Microsoft Windows elevation of privilege exploit
- Conclusions
Authors
- Boris Larin
- Alexey Kulaev
Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.
## Google Chrome remote code execution exploit
In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser explo
Securelist
The zero-day exploits of Operation WizardOpium
blogs_securelist·2020-05-28·CVSS 8.8
[HIGH] The zero-day exploits of Operation WizardOpium
Table of Contents
Google Chrome remote code execution exploit
Microsoft Windows elevation of privilege exploit
Conclusions
Authors
Boris Larin
Alexey Kulaev
Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here ), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.
## Google Chrome remote code execution exploit
In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The
Unit42
Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
blogs_unit42·2016-12-15·CVSS 7.8
[HIGH] Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.
At the time of initial reporting, we found two variants:
1. Variant A: A standalone variant that included Flash exploit code packaged with a payload.
2. Variant B: A modular variant that loaded exploit code on-demand and appeared non-operational at the time.
Since that time, we have been able to collect addi
Unit42
Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
blogs_unit42·2016-12-15·CVSS 7.8
[HIGH] Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
Threat Research Center
Threat Research
Malware
## Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
Robert Falcone
Bryan Lee
Published: December 15, 2016
Malware
Threat Actor Groups
Threat Research
DealersChoice
Fighting Ursa
Sofacy
Threat research
Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.
At the time of initial reporting,
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
Threat Intel
APT32 (APT32, SeaLotus, OceanLotus)
threat_intel
APT32 (APT32, SeaLotus, OceanLotus)
# Threat Actor Profile: APT32
ATT&CK ID: G0050
Also known as: APT32, SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH
Suspected origin: Vietnam
## Overview
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)
## Techniques (TTPs)
### Reconnaissance
- T1598.003 Spearphishing Link
Usage: APT32 has used malicious links to direct users to web pages designed to
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-08-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 11-08-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel
arxiv_fulltext·2021-04-22
A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel
A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel
Mohammad Sina Karvandi^ , Saleh Khalaj Monfared^ , Mohammad Sina Kiarostami^ , \ Rahmati^ , Saeid Gorgin^
^*School of Computer Sciences, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran
^ Iranian Research Organization for Science and Technology (IROST), Tehran, Iran
\karvandi, monfared, skiarostami, dara.rahmati\@ipm.ir, [email protected]
## Abstract
Nowadays, in operating systems, numerous protection mechanisms prevent or limit the user-mode applications to access the kernel's internal information. This is regularly carried out by software-based defenses such as Address Space Layout Randomization (ASLR) and Kernel ASLR (KASLR). They play pronounced roles when the security of sandboxed applicati
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/http://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/94064http://www.securitytracker.com/id/1037251https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-135https://github.com/mwrlabs/CVE-2016-7255https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255/https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.htmlhttps://www.exploit-db.com/exploits/40745/https://www.exploit-db.com/exploits/40823/https://www.exploit-db.com/exploits/41015/http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/http://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/94064http://www.securitytracker.com/id/1037251https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-135https://github.com/mwrlabs/CVE-2016-7255https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255/https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.htmlhttps://www.exploit-db.com/exploits/40745/https://www.exploit-db.com/exploits/40823/https://www.exploit-db.com/exploits/41015/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-7255
2016-11-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild