Zero-day vulnerability in Windows

Privilege escalation
CVE-2015-1701

The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".

Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.

Vulnerability details

Advisory: SB2015051201 - Multiple vulnerabilities in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2015-1701

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description:

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Operation "Russian Doll"

The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO.

Public Exploits:

- Microsoft Windows - ClientCopyImage Win32k Exploit (MS15-051) (Metasploit) [Exploit-DB]

- Microsoft Windows - Privilege Escalation (MS15-051) [Exploit-DB]

External links:

https://technet.microsoft.com/en-us/library/security/ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevatio...
https://www.symantec.com/security_response/vulnerability.jsp?bid=74245
https://www.reddit.com/r/microsoft/comments/334zyo/russia_use_unpatched_cve20151701_in/
https://thehacktimes.com/cyber-espionage-operation-russian-doll/
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.