ID CVE-2016-0041
Summary Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold and 1511, and Internet Explorer 10 and 11 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka "DLL Loading Remote Code Execution Vulnerability."
References
Vulnerable Configurations
  • Microsoft Internet Explorer 10
    cpe:2.3:a:microsoft:internet_explorer:10
  • Microsoft Internet Explorer 11
    cpe:2.3:a:microsoft:internet_explorer:11
  • cpe:2.3:o:microsoft:windows_10
    cpe:2.3:o:microsoft:windows_10
  • cpe:2.3:o:microsoft:windows_10:1511
    cpe:2.3:o:microsoft:windows_10:1511
  • cpe:2.3:o:microsoft:windows_7:-:sp1
    cpe:2.3:o:microsoft:windows_7:-:sp1
  • cpe:2.3:o:microsoft:windows_8.1
    cpe:2.3:o:microsoft:windows_8.1
  • Microsoft Windows RT 8.1
    cpe:2.3:o:microsoft:windows_rt_8.1
  • Microsoft Windows Server 2008 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2
  • Microsoft Windows Server 2008 R2 Service Pack 1
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1
  • Microsoft Windows Server 2012
    cpe:2.3:o:microsoft:windows_server_2012
  • cpe:2.3:o:microsoft:windows_server_2012:r2
    cpe:2.3:o:microsoft:windows_server_2012:r2
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
CVSS
Base: 7.2 (as of 12-08-2016 - 11:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit). CVE-2015-6128,CVE-2015-6132,CVE...
id EDB-ID:41706
last seen 2017-03-23
modified 2015-12-08
published 2015-12-08
reporter Exploit-DB
source https://www.exploit-db.com/download/41706/
title Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
metasploit via4
description Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
id MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_OLE_MULTIPLE_DLL_HIJACK
last seen 2019-03-28
modified 2017-07-24
published 2016-08-09
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb
title Office OLE Multiple DLL Side Loading Vulnerabilities
msbulletin via4
  • bulletin_id MS16-009
    bulletin_url
    date 2016-02-09T00:00:00
    impact Remote Code Execution
    knowledgebase_id 3134220
    knowledgebase_url
    severity Critical
    title Cumulative Security Update for Internet Explorer
  • bulletin_id MS16-014
    bulletin_url
    date 2016-02-09T00:00:00
    impact Remote Code Execution
    knowledgebase_id 3134228
    knowledgebase_url
    severity Important
    title Security Update for Microsoft Windows to Address Remote Code Execution
nessus via4
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS16-009.NASL
    description The version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3134220. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists due to improper validation of input when loading dynamic link library (DLL) files. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code. (CVE-2016-0041) - An information disclosure vulnerability exists in the Hyperlink Object Library due to improper handling of objects in memory. A remote attacker can exploit this by convincing a user to click a link in an email or Office file, resulting in the disclosure of memory contents. (CVE-2016-0059) - Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. (CVE-2016-0060, CVE-2016-0061, CVE-2016-0062, CVE-2016-0063, CVE-2016-0064, CVE-2016-0067, CVE-2016-0071, CVE-2016-0072) - A spoofing vulnerability exists due to improper parsing of HTTP responses. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect a user to a malicious website. (CVE-2016-0077) - Multiple elevation of privilege vulnerabilities exist due to improper enforcement of cross-domain policies. An unauthenticated, remote attacker can exploit this by convincing a user to visit a specially crafted website, resulting in an elevation of privilege. (CVE-2016-0068, CVE-2016-0069)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 88642
    published 2016-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88642
    title MS16-009: Cumulative Security Update for Internet Explorer (3134220)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS16-014.NASL
    description The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a crafted application, to run arbitrary code in kernel mode and therefore take control of the affected system. (CVE-2016-0040) - Multiple code execution vulnerabilities exist due to improper validation of user-supplied input when loading DLL files. A local attacker can exploit these, via a specially crafted application, to execute arbitrary code. (CVE-2016-0041, CVE-2016-0042) - A denial of service vulnerability exists in Microsoft Sync Framework due to improper processing of crafted input that uses the 'change batch' structure. An authenticated, remote attacker can exploit this, via specially crafted packets sent to the SyncShareSvc service, to cause the service to stop responding. (CVE-2016-0044) - A security feature bypass vulnerability exists when Kerberos fails to check the password change of a user signing into a workstation. An attacker can exploit this, by connecting the workstation to a malicious Kerberos Key distribution Center, to bypass Kerberos authentication on a target machine, thus allowing decryption of drives protected by BitLocker. (CVE-2016-0049)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 88646
    published 2016-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88646
    title MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)
packetstorm via4
data source https://packetstormsecurity.com/files/download/139671/office_ole_multiple_dll_hijack.rb.txt
id PACKETSTORM:139671
last seen 2016-12-05
published 2016-11-10
reporter Yorick Koster
source https://packetstormsecurity.com/files/139671/Office-OLE-DLL-Hijacking.html
title Office OLE DLL Hijacking
refmap via4
fulldisc 20160210 NPS Datastore server DLL side loading vulnerability
misc https://www.securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html
ms
  • MS16-009
  • MS16-014
sectrack
  • 1034971
  • 1034985
Last major update 05-12-2016 - 22:04
Published 10-02-2016 - 06:59
Last modified 12-10-2018 - 18:10
Back to Top