{"id":67521,"date":"2016-12-29T16:19:30","date_gmt":"2016-12-30T00:19:30","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=67521"},"modified":"2025-05-29T03:39:26","modified_gmt":"2025-05-29T10:39:26","slug":"digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/","title":{"rendered":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255"},"content":{"rendered":"<p><em>This blog was written by Stanley Zhu.<\/em><\/p>\n<p>The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November\u2019s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability (CVE-2016-7855) along with this kernel privilege escalation flaw to perform a targeted attack. Google has also discussed this vulnerability.<\/p>\n<ul>\n<li><a href=\"https:\/\/security.googleblog.com\/2016\/10\/disclosing-vulnerabilities-to-protect.html\">https:\/\/security.googleblog.com\/2016\/10\/disclosing-vulnerabilities-to-protect.html<\/a><\/li>\n<li><a href=\"https:\/\/threatpost.com\/microsoft-says-russian-apt-group-behind-zero-day-attacks\/121722\/\">https:\/\/threatpost.com\/microsoft-says-russian-apt-group-behind-zero-day-attacks\/121722\/<\/a><\/li>\n<li><a href=\"http:\/\/securityaffairs.co\/wordpress\/53242\/hacking\/cve-2016-7255-zero-day.html\">http:\/\/securityaffairs.co\/wordpress\/53242\/hacking\/cve-2016-7255-zero-day.html<\/a><\/li>\n<\/ul>\n<p>The vulnerability research team at McAfee Labs has spent a significant amount of time analyzing this vulnerability. In this post we will briefly discuss some of our findings.<\/p>\n<p>We started our analysis with the patch of MS16-135, and very soon we noticed that MS16-135 updated win32k.sys on the target system. Our investigation continued with the comparison (via binary diffing) of the two win32k.sys files (before and after installing the patch). Our test system ran Windows 7 Version 6.1.7601.23584.<\/p>\n<p>Looking at the binary diffing results, we noticed the following functions were modified.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67534 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\" alt=\"2016-12-29-cve-2016-7255-1\" width=\"1253\" height=\"479\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png 1253w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1-300x115.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1-768x294.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1-1024x391.png 1024w\" sizes=\"auto, (max-width: 1253px) 100vw, 1253px\" \/><\/a><\/p>\n<p><em>Figure 1: The changed function xxxNextWindow in win32k.sys.<\/em><\/p>\n<p>After some preliminary investigation we concluded the patch for CVE-2016-7255 was applied solely in the function xxxNextWindow in win32k.sys.<\/p>\n<p>The following screenshot shows a very high-level overview of the changes made to xxxNextWindow(x,x):<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67533 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2.png\" alt=\"2016-12-29-cve-2016-7255-2\" width=\"1110\" height=\"542\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2.png 1110w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2-300x146.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2-768x375.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-2-1024x500.png 1024w\" sizes=\"auto, (max-width: 1110px) 100vw, 1110px\" \/><\/a><\/p>\n<p><em>Figure 2: High-level diffing results in the function xxxNextWindow.<\/em><\/p>\n<p>We can see some new logic has been added\u00a0(highlighted in red) to the middle of the patched function. Zooming into the first newly inserted basic block, we can see that the newly introduced code compares the value of eax+0x23.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67532 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3.png\" alt=\"2016-12-29-cve-2016-7255-3\" width=\"1080\" height=\"541\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3.png 1080w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3-300x150.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3-768x385.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3-1024x513.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-3-998x500.png 998w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/a><\/p>\n<p><em>Figure 3: The first inserted basic block in xxxNextWindow.<\/em><\/p>\n<p>We see similar logic in next newly inserted basic block.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67531 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4.png\" alt=\"2016-12-29-cve-2016-7255-4\" width=\"1102\" height=\"484\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4.png 1102w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4-300x132.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4-768x337.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-4-1024x450.png 1024w\" sizes=\"auto, (max-width: 1102px) 100vw, 1102px\" \/><\/a><\/p>\n<p><em>Figure 4: The second inserted basic block in xxxNextWindow.<\/em><\/p>\n<p>Google has stated the vulnerability \u201ccan be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.\u201d<\/p>\n<p>In fact, NtSetWindowLongPtr only helps trigger this vulnerability, while the root cause lies in xxxNextWindow. More specifically, the inappropriate parameters set by NtSetWindowLongPtr can trigger an \u201carbitrary address write\u201d scenario in xxxNextWindow.<\/p>\n<p>Now let\u2019s take a look at the decompiled version of the unpatched xxxNextWindow(x,x\u2026).<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67530 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-5.png\" alt=\"2016-12-29-cve-2016-7255-5\" width=\"596\" height=\"354\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-5.png 596w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-5-300x178.png 300w\" sizes=\"auto, (max-width: 596px) 100vw, 596px\" \/><\/a><\/p>\n<p><em>Figure 5: The decompiled version of the unpatched xxxNextWindow.<\/em><\/p>\n<p>After the patch is applied, xxxNextWindow (x,x\u2026) looks like this\uff1a<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67529 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-6.png\" alt=\"2016-12-29-cve-2016-7255-6\" width=\"766\" height=\"395\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-6.png 766w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-6-300x155.png 300w\" sizes=\"auto, (max-width: 766px) 100vw, 766px\" \/><\/a><\/p>\n<p><em>Figure 6: The decompiled version of the patched xxxNextWindow.<\/em><\/p>\n<p>The code after the patch has enhanced the parameter verification with the conditional branch statement \u201c(*(_BYTE *)(v8 + 0x23) &amp; 0xC0) != 0x40.\u201d<\/p>\n<p>In this new statement, variable v8 (in eax) is the return value of a previous GetNextQueueWindow call. (See following figure.)<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67528 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-7.png\" alt=\"2016-12-29-cve-2016-7255-7\" width=\"640\" height=\"527\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-7.png 640w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-7-300x247.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-7-607x500.png 607w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: Variable v8 comes from a call to GetNextQueueWindow: \u201cv8 = _GetNextQueueWindow(v7, v31, 1);\u201d<\/em><\/p>\n<p>A quick look at the implementation of _GetNextQueueWindow(x,x,x,\u2026) reveals that the function actually returns a pointer to the tagWND structure.<\/p>\n<p>The following screen shows the tagWND structure in windbg:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67527 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8.png\" alt=\"2016-12-29-cve-2016-7255-8\" width=\"749\" height=\"1147\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8.png 749w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8-196x300.png 196w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8-669x1024.png 669w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-8-327x500.png 327w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/a><\/p>\n<p><em>Figure 8: The structure of tagWND.<\/em><\/p>\n<p>Analyzing this code, we know the field at offset 0x78 in the tagWND structure is relevant to the vulnerability. The following lines of decompiled code from the unpatched function illustrate that the field at offset 0x78 is relevant to the vulnerability:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67526 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-9.png\" alt=\"2016-12-29-cve-2016-7255-9\" width=\"669\" height=\"203\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-9.png 669w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-9-300x91.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/a><\/p>\n<p><em>Figure 9: Problematic code in the unpatched xxxNextWindow.<\/em><\/p>\n<p>Now the problem becomes simple: If we can control the value at v8+0x78, we will be able to write to an arbitrary address in kernel land, and this could potentially allow the elevation of privilege. Luckily, a user-mode API (NtSetWindowLongPtr) is available to set an arbitrary value in that position.<\/p>\n<p>The following screen shot shows that the value (0x41414141) we passed to NtSetWindowLongPtr is reflected in the tagWND structure, making it easy to gain an arbitrary memory write through this vulnerability.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67525 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-10.png\" alt=\"2016-12-29-cve-2016-7255-10\" width=\"516\" height=\"252\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-10.png 516w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-10-300x147.png 300w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/a><\/p>\n<p><em>Figure 10: An arbitrary value is set in the tagWnd structure.<\/em><\/p>\n<p>To to trigger the vulnerability, the <strong>WS_CHILD<\/strong> attribute of the newly created window must be assigned, and the <strong>GWLP_ID<\/strong> attribute must be set with the help of the API NtSetWindowLongPtr(). Moreover, the last hurdle is to trigger xxxNextWindow. After some research, we found we can trigger it by pressing a combination of Alt+Tab keys or simulating the key press with the keybd_event API.<\/p>\n<p>Now that we understand the root cause of this vulnerability from the high level, let\u2019s try reproducing the vulnerability. We will create a simple window and populate some values in its tagWND structure.<\/p>\n<p style=\"padding-left: 30px;\">HWND hwnd = CreateWindowEx(0, L&#8221;TestWnd&#8221;, 0, WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, 5, 5, 1, 1, hWndParent, 0\/*hMenu *\/, h, 0);<\/p>\n<p style=\"padding-left: 30px;\">SetWindowLongPtr(hwnd, GWLP_ID,\/*0xfffffff4=GWLP_ID*\/ 0x41414141);<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67524 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-11.png\" alt=\"2016-12-29-cve-2016-7255-11\" width=\"932\" height=\"438\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-11.png 932w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-11-300x141.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-11-768x361.png 768w\" sizes=\"auto, (max-width: 932px) 100vw, 932px\" \/><\/a><\/p>\n<p><em>Figure 11: Debugging the vulnerable function xxxNextWindow.<\/em><\/p>\n<p>The preceding screenshot shows the live debugging output. Here the ebx register is holding the pointer to the tagWND structure, and a write violation will occur very soon. As you can see in the following figure, the destination of the offending instruction is just the address (adding 0x14) that we previously passed in via the NtSetWindowLongPtr API, and this perfectly illustrates an arbitrary address write attack.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67523 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12.png\" alt=\"2016-12-29-cve-2016-7255-12\" width=\"946\" height=\"590\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12.png 946w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12-300x187.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12-768x479.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-12-802x500.png 802w\" sizes=\"auto, (max-width: 946px) 100vw, 946px\" \/><\/a><\/p>\n<p><em>Figure 12: Scenario for an arbitrary address write attack.<\/em><\/p>\n<p>Let\u2019s return to Microsoft\u2019s patch, which starts by checking the value at offset 0x23 of the tagWND structure. In the patched code, we can see the newly introduced statement<\/p>\n<p style=\"padding-left: 30px;\">(*(_BYTE *)(v8 + 0x23) &amp; 0xC0) != 0x40<\/p>\n<p>When it comes to the patched version of the function, ebx points to the tagWND of the structure ebx + 0x23 = 0x54;<\/p>\n<p style=\"padding-left: 30px;\">0x54 &amp; 0xc0 = 0x40 ;(1)\u00a0 ,\u00a0 0x40 != 0x40 (2) ;<\/p>\n<p>Now this statement becomes false. Therefore, the program skips the following code lines that attempt to modify memory, and avoids the program crash (the write access violation).<\/p>\n<p style=\"padding-left: 30px;\">*(_DWORD *)(*(_DWORD *)(v30 + 0x78) + 0x14) &amp;= 0xFFFFFFFB;<\/p>\n<p style=\"padding-left: 30px;\">*(_DWORD *)(*(_DWORD *)(v8 + 0x78) + 0x14) |= 4u;<\/p>\n<p>How can this vulnerability be exploited to achieve a privilege escalation? Instead of allowing the writing of an arbitrary value to an arbitrary address, this vulnerability can change only one bit; that is, the value on the address will be logically OR-ed with 0x04 (or its multiples) as shown below:<\/p>\n<p style=\"padding-left: 30px;\">Value = Value | 0x04;<\/p>\n<p style=\"padding-left: 30px;\">Value = Value | 0x0400;<\/p>\n<p style=\"padding-left: 30px;\">Value = Value | 0x040000<\/p>\n<p style=\"padding-left: 30px;\">Value = Value | 0x04000000<\/p>\n<p>In this case, if the attacker can find a certain array of objects in kernel land and enlarge the index of the objects array (such as tagWnd-&gt;cbWndExtra) with this logical OR primitive to cause an out-of-bound access, the attacker will be able to gain arbitrary address read\/write ability from user mode (by using some user mode APIs). We currently know some exploitation skills of this kind, such as GetBitmapbits\/SetBitmapbits (first discovered by KeenTeam) or SetWindowText\/GetWindowText.<\/p>\n<h2>Final Thoughts<\/h2>\n<p>Today, privilege escalation using a kernel mode vulnerability is still the primary vector to break application sandboxes (Internet Explorer\u2019s EPM or Edge\u2019s AppContainer). This path has been well demonstrated by most successful in-the-wild exploits targeting Internet Explorer\/Edge\/Adobe Reader and Flash that we have seen. Against current versions of Windows, with multilayer defenses, escaping the sandbox with a kernel escalation of privilege is still the attacker\u2019s first choice. KeUsermodeCallback used to be a very popular type of Windows kernel mode vulnerability that can lead to kernel mode code execution, as we saw in CVE-2014-4113 and CVE-2015-0057. Microsoft\u2019s work on addressing kernel vulnerabilities and adding more mitigation security features has led to a decline in this type of attack. In response, attackers have begun to look into kernel font and GDI vulnerabilities. Windows 10 has already restricted win32k calls in Edge, which significantly reduces the attack surface. And Microsoft has also fixed the kernel memory information disclosure issue that leverages the GDI-shared handle table. No doubt, kernel exploitation will become more and more difficult. However, we foresee that attackers will still use win32k as the main attack surface to exploit the kernel to achieve code execution or elevation of privilege. The battle will continue around this hot spot for both attackers and defenders.<strong>\u00a0<\/strong><\/p>\n<p><em>I thank my colleagues Bing Sun and Debasish Mandal for their help with this post.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,4452,4827],"coauthors":[4136],"class_list":["post-67521","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybersecurity","tag-vulnerability"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-12-30T00:19:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-29T10:39:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1253\" \/>\n\t<meta property=\"og:image:height\" content=\"479\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255\",\"datePublished\":\"2016-12-30T00:19:30+00:00\",\"dateModified\":\"2025-05-29T10:39:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\"},\"wordCount\":1365,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\",\"keywords\":[\"computer security\",\"cybersecurity\",\"vulnerability\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\",\"name\":\"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\",\"datePublished\":\"2016-12-30T00:19:30+00:00\",\"dateModified\":\"2025-05-29T10:39:26+00:00\",\"description\":\"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog","description":"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog","og_description":"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-12-30T00:19:30+00:00","article_modified_time":"2025-05-29T10:39:26+00:00","og_image":[{"width":1253,"height":479,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255","datePublished":"2016-12-30T00:19:30+00:00","dateModified":"2025-05-29T10:39:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/"},"wordCount":1365,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png","keywords":["computer security","cybersecurity","vulnerability"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/","name":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png","datePublished":"2016-12-30T00:19:30+00:00","dateModified":"2025-05-29T10:39:26+00:00","description":"This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2016-12-29-CVE-2016-7255-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-windows-kernel-privilege-escalation-vulnerability-cve-2016-7255\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=67521"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67521\/revisions"}],"predecessor-version":[{"id":214720,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67521\/revisions\/214720"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=67521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=67521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=67521"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=67521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}