CVE-2015-2527
Windows 8, 8.1, RT, RT 8.1, Server 2012, 10 - Privilege Escalation via Win32k Impersonation
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2015-2527. PoCs published by Google Security Research.
AI-analyzed exploit summary The writeup details a security bypass in Windows 8.1 and Windows 10 (Build 10130) where NtUserGetClipboardAccessToken leaks access tokens to lower-privileged users. The vulnerability bypasses the fix for CVE-2015-0078 by exploiting the IsImmersiveBroker flag, which can be set by injecting a DLL into a signed Microsoft process like LicensingUI.exe.
Description
The process-initialization implementation in win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 does not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Exploits (1)
The writeup details a security bypass in Windows 8.1 and Windows 10 (Build 10130) where NtUserGetClipboardAccessToken leaks access tokens to lower-privileged users. The vulnerability bypasses the fix for CVE-2015-0078 by exploiting the IsImmersiveBroker flag, which can be set by injecting a DLL into a signed Microsoft process like LicensingUI.exe.