cbcvebase.
CVE-2016-7255
published 2016-11-10

CVE-2016-7255: The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…

PriorityP187high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
80.97%
99.6th percentile
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

domainversiontask[.]com
domainpostlkwarn[.]com
domainapptaskserver[.]com
domainappservicegroup[.]com
domainjoshel[.]com
domainakamaisoftupdate[.]com
hashc42a0d50eac9399914090f1edc2bda9ac1079edff4528078549c824c4d023ff9
hash45a4a376cb7a36f8c7851713c7541cb7e347dafb08980509069a078d3bcb1405
hash5dd3066a8ee3ab5b380eb7781c85e4253683cd7e3eee1c29013a7a62cd9bef8c
hashfa8b4f64bff799524f6059c3a4ed5d169e9e7ef730f946ac7ad8f173e8294ed8
hashc993c1e10299162357196de33e4953ab9ab9e9359fa1aea00d92e97e7d8c5f2c
hash3bb47f37e16d09a7b9ba718d93cfe4d5ebbaecd254486d5192057c77c4a25363
hash4cbb0e3601242732d3ea7c89b4c0fd1074fae4a6d20e5f3afc3bc153b6968d6e
filenameOperation_in_Mosul.rtf
filenameNASAMS.doc
filenameProgramm_Details.doc
filenameDGI2017.doc
filenameOlympic-Agenda-2020-20-20-Recommendations.doc
filenameARM-NATO_ENGLISH_30_NOV_2016.doc
  • CVE-2016-7255 was exploited in the wild as a local privilege escalation via a crafted application targeting Win32k kernel-mode drivers; it was delivered chained with CVE-2016-7855 (Adobe Flash) via the DealersChoice exploitation platform using malicious RTF documents containing embedded OLE Word documents with embedded SWF files.
  • DealersChoice uses the OfficeTestSideloading technique to sideload DLL files via a performance test module built into Microsoft Office suite for persistence; hunt for abnormal DLL loads from Office processes.
  • APT32 has used CVE-2016-7255 for privilege escalation; correlate Win32k EoP exploitation attempts with APT32 TTPs including process injection into Rundll32.exe and Cobalt Strike beacon activity.
  • The C2 server applies geolocation filtering — requests from US/Western IPs receive no response while Middle Eastern IPs receive the malicious SWF and payload. Sandbox detonation from non-targeted geographies may yield no response.
  • MS16-135 is the patch for CVE-2016-7255; prioritize patching as the vulnerability was publicly disclosed and actively exploited at time of patch release.
  • ·The DealersChoice C2 servers (versiontask[.]com, postlkwarn[.]com) randomly generate k1/k2/k3/k4 encryption tokens per request, so network signatures based on specific token values will not be reliable.
  • ·The Seduploader payload hashes and C2 domains (apptaskserver[.]com, appservicegroup[.]com, joshel[.]com, akamaisoftupdate[.]com) are associated with the broader DealersChoice/Sofacy campaign delivering CVE-2016-7255 as a privilege escalation component, not the CVE-2016-7255 exploit binary itself.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.