Vulnerabilities > CVE-2014-0307 - Use After Free vulnerability in Microsoft Internet Explorer 9

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

CWE-416

nessus

exploit available

metasploit

NVD

Published: 2014-03-12

Updated: 2024-11-21

Summary

Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 9	1

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Exploit-Db

description	MS14-012 Internet Explorer TextRange Use-After-Free. CVE-2014-0307. Remote exploit for windows platform
file	exploits/windows/remote/32438.rb
id	EDB-ID:32438
last seen	2016-02-03
modified	2014-03-22
platform	windows
port
published	2014-03-22
reporter	metasploit
source	https://www.exploit-db.com/download/32438/
title	Microsoft Internet Explorer - TextRange Use-After-Free MS14-012
type	remote

Metasploit

description	This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw was most likely introduced in 2013, therefore only certain builds of MSHTML are affected. In our testing with IE9, these vulnerable builds appear to be between 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between August 2013, when it was introduced, until the fix issued in early March 2014.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_TEXTRANGE
last seen	2020-05-16
modified	2017-07-24
published	2014-03-18
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0307
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms14_012_textrange.rb
title	MS14-012 Microsoft Internet Explorer TextRange Use-After-Free

Msbulletin

bulletin_id	MS14-012
bulletin_url
date	2014-03-11T00:00:00
impact	Remote Code Execution
knowledgebase_id	2925418
knowledgebase_url
severity	Critical
title	Cumulative Security Update for Internet Explorer

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS14-012.NASL
description	The remote host is missing Internet Explorer (IE) Security Update 2925418. The installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	72930
published	2014-03-11
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/72930
title	MS14-012: Cumulative Security Update for Internet Explorer (2925418)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72930); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2014-0297", "CVE-2014-0298", "CVE-2014-0299", "CVE-2014-0302", "CVE-2014-0303", "CVE-2014-0304", "CVE-2014-0305", "CVE-2014-0306", "CVE-2014-0307", "CVE-2014-0308", "CVE-2014-0309", "CVE-2014-0311", "CVE-2014-0312", "CVE-2014-0313", "CVE-2014-0314", "CVE-2014-0321", "CVE-2014-0322", "CVE-2014-0324", "CVE-2014-4112" ); script_bugtraq_id( 65551, 66023, 66025, 66026, 66027, 66028, 66029, 66030, 66031, 66032, 66033, 66034, 66035, 66036, 66037, 66038, 66039, 66040, 70266 ); script_xref(name:"CERT", value:"732479"); script_xref(name:"EDB-ID", value:"32851"); script_xref(name:"EDB-ID", value:"32438"); script_xref(name:"EDB-ID", value:"32904"); script_xref(name:"MSFT", value:"MS14-012"); script_xref(name:"MSKB", value:"2925418"); script_name(english:"MS14-012: Cumulative Security Update for Internet Explorer (2925418)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute(attribute:"synopsis", value: "The remote host has a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2925418. The installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-030/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-031/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-032/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-033/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-034/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-035/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-036/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-012'; kb = '2925418'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 7 / 2008 R2 # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22597", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18392", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19507", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23330", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19041", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5294", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6512", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/125813/ms14_012_textrange.rb.txt
id	PACKETSTORM:125813
last seen	2016-12-05
published	2014-03-20
reporter	Jason Kratzer
source	https://packetstormsecurity.com/files/125813/MS14-012-Internet-Explorer-TextRange-Use-After-Free.html
title	MS14-012 Internet Explorer TextRange Use-After-Free

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 66032 CVE(CAN) ID: CVE-2014-0307 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象，在实现上存在远程代码执行漏洞，成功利用后可破坏内存，在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS14-012）以及相应补丁: MS14-012：Cumulative Security Update for Internet Explorer (2925418) 链接：http://technet.microsoft.com/security/bulletin/MS14-012
id	SSV:61762
last seen	2017-11-19
modified	2014-03-12
published	2014-03-12
reporter	Root
title	Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0307)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Msbulletin

Nessus

Packetstorm

Seebug

References