The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Vulnerability details
Advisory: SB2015051201 - Multiple vulnerabilities in Microsoft Windows
Vulnerable component: Windows
CVE-ID: CVE-2015-1701
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
Description:
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.Known APT campaigns:
Operation "Russian Doll"
The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO.
Public Exploits:
- Microsoft Windows - ClientCopyImage Win32k Exploit (MS15-051) (Metasploit) [Exploit-DB]
- Microsoft Windows - Privilege Escalation (MS15-051) [Exploit-DB]
External links:
https://technet.microsoft.com/en-us/library/security/ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevatio...
https://www.symantec.com/security_response/vulnerability.jsp?bid=74245
https://www.reddit.com/r/microsoft/comments/334zyo/russia_use_unpatched_cve20151701_in/
https://thehacktimes.com/cyber-espionage-operation-russian-doll/
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html