Vulnerabilities > CVE-2014-0322 - Use After Free vulnerability in Microsoft Internet Explorer 10/9
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| OS | 7 |
Common Weakness Enumeration (CWE)
Exploit-Db
description Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012). CVE-2014-0322. Remote exploit for windows platform file exploits/windows/remote/32851.html id EDB-ID:32851 last seen 2016-02-03 modified 2014-04-14 platform windows port published 2014-04-14 reporter Jean-Jamil Khalife source https://www.exploit-db.com/download/32851/ title Microsoft Internet Explorer 10 - CMarkup Use-After-Free MS14-012 type remote description MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free. CVE-2014-0322. Remote exploit for windows platform file exploits/windows/remote/32904.rb id EDB-ID:32904 last seen 2016-02-03 modified 2014-04-16 platform windows port published 2014-04-16 reporter metasploit source https://www.exploit-db.com/download/32904/ title Microsoft Internet Explorer - CMarkup Use-After-Free MS14-012 type remote
Metasploit
| description | This module exploits an use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP. |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF |
| last seen | 2020-05-22 |
| modified | 2017-07-24 |
| published | 2014-04-15 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb |
| title | MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free |
Msbulletin
| bulletin_id | MS14-012 |
| bulletin_url | |
| date | 2014-03-11T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2925418 |
| knowledgebase_url | |
| severity | Critical |
| title | Cumulative Security Update for Internet Explorer |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-012.NASL description The remote host is missing Internet Explorer (IE) Security Update 2925418. The installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 72930 published 2014-03-11 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72930 title MS14-012: Cumulative Security Update for Internet Explorer (2925418) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72930); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2014-0297", "CVE-2014-0298", "CVE-2014-0299", "CVE-2014-0302", "CVE-2014-0303", "CVE-2014-0304", "CVE-2014-0305", "CVE-2014-0306", "CVE-2014-0307", "CVE-2014-0308", "CVE-2014-0309", "CVE-2014-0311", "CVE-2014-0312", "CVE-2014-0313", "CVE-2014-0314", "CVE-2014-0321", "CVE-2014-0322", "CVE-2014-0324", "CVE-2014-4112" ); script_bugtraq_id( 65551, 66023, 66025, 66026, 66027, 66028, 66029, 66030, 66031, 66032, 66033, 66034, 66035, 66036, 66037, 66038, 66039, 66040, 70266 ); script_xref(name:"CERT", value:"732479"); script_xref(name:"EDB-ID", value:"32851"); script_xref(name:"EDB-ID", value:"32438"); script_xref(name:"EDB-ID", value:"32904"); script_xref(name:"MSFT", value:"MS14-012"); script_xref(name:"MSKB", value:"2925418"); script_name(english:"MS14-012: Cumulative Security Update for Internet Explorer (2925418)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute(attribute:"synopsis", value: "The remote host has a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2925418. The installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-030/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-031/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-032/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-033/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-034/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-035/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-036/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-012'; kb = '2925418'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 7 / 2008 R2 # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22597", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18392", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19507", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23330", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19041", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5294", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6512", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB2934088.NASL description The remote host is missing one of the workarounds referenced in KB 2934088. The remote Internet Explorer install is affected by a use after free vulnerability in the MSHTML CMarkup component. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application. last seen 2017-10-29 modified 2017-08-30 plugin id 72605 published 2014-02-20 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=72605 title MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution code #%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2014/03/11. Deprecated by smb_nt_ms14-012.nasl # include("compat.inc"); if (description) { script_id(72605); script_version("1.11"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2014-0322"); script_bugtraq_id(65551); script_xref(name:"CERT", value:"732479"); script_xref(name:"MSKB", value:"2934088"); script_name(english:"MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution"); script_summary(english:"Checks if workarounds referenced in KB article have been applied."); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability."); script_set_attribute( attribute:"description", value: "The remote host is missing one of the workarounds referenced in KB 2934088. The remote Internet Explorer install is affected by a use after free vulnerability in the MSHTML CMarkup component. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/advisory/2934088"); script_set_attribute( attribute:"solution", value: "Apply the IE settings workarounds suggested by Microsoft in the advisory, or apply the MSHTML Shim workaround in the Microsoft 'Fix it' solution." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/IE/Version"); script_require_ports(139, 445); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Use plugin #72930 (smb_nt_ms14-012.nasl) instead."); include('audit.inc'); include('global_settings.inc'); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); # only IE 9 and 10 affected version = get_kb_item_or_exit("SMB/IE/Version"); v = split(version, sep:".", keep:FALSE); if (int(v[0]) != 9 && int(v[0]) != 10) audit(AUDIT_INST_VER_NOT_VULN, "IE", version); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); systemroot = hotfix_get_systemroot(); if (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot'); guid = '{25408f0a-987b-4ab0-a5ac-2ddb89ff22cf}'; path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid); RegCloseKey(handle:hklm); if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb'; # Now make sure the file is in place if (hotfix_file_exists(path:path)) { hotfix_check_fversion_end(); exit(0, "The host is not affected since the Microsoft 'Fix it' has been applied."); } # hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect registry_init(); emet_info = ''; emet_installed = FALSE; emet_with_ie = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; # Check if EMET is configured with IE. # The workaround does not specifically ask to enable DEP # but if IE is configured with EMET, dep is enabled by default. emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { if ("iexplore.exe" >< entry && "/dep" >< entry) { dep = get_kb_item(entry); if (!isnull(dep) && dep == 1) emet_with_ie = TRUE; } } } if (!emet_installed) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\n installed.'; } else if (emet_installed) { if (!emet_with_ie) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\n installed, however Internet Explorer is not configured with EMET.'; } } info_user_settings = ''; # check mitigation per user hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE); subkeys = get_registry_subkeys(handle:hku, key:''); foreach key (subkeys) { if ('.DEFAULT' >< key || 'Classes' >< key || key =~ "^S-1-5-\d{2}$") # skip built-in accounts continue; mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); if (isnull(value) && isnull(value1)) continue; # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (!mitigation) info_user_settings += '\n ' + key + ' (Active Scripting Enabled)'; } RegCloseKey(handle:hku); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # check if user settings have been overridden by what is in HKLM # note: Security_HKLM_only can be set by group policy value = get_registry_value(handle:hklm, item:'SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only'); if (info_user_settings != '' && !isnull(value) && value == 1) { mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (mitigation) info_user_settings = ''; } RegCloseKey(handle:hklm); close_registry(); if (info_user_settings != '') { port = kb_smb_transport(); if (report_verbosity > 0) { if (emet_info != '') report = '\n The remote host is missing the MSHTML Shim workaround and the' + '\n following users have vulnerable IE settings :' + info_user_settings + '\n' + emet_info + '\n'; else report = '\n The remote host is missing the MSHTML Shim workaround and the' + '\n following users have vulnerable IE settings :' + info_user_settings + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "The host is not affected since a workaround has been applied.");
Packetstorm
data source https://packetstormsecurity.com/files/download/126178/ms14_012_cmarkup_uaf.rb.txt id PACKETSTORM:126178 last seen 2016-12-05 published 2014-04-16 reporter juan vazquez source https://packetstormsecurity.com/files/126178/MS14-012-Microsoft-Internet-Explorer-CMarkup-Use-After-Free.html title MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free data source https://packetstormsecurity.com/files/download/126150/msiecmarkup-uaf.txt id PACKETSTORM:126150 last seen 2016-12-05 published 2014-04-14 reporter Jean-Jamil Khalife source https://packetstormsecurity.com/files/126150/MS14-012-Internet-Explorer-CMarkup-Use-After-Free.html title MS14-012 Internet Explorer CMarkup Use-After-Free
Saint
| bid | 65551 |
| description | Internet Explorer CMarkup Object Handling Use-after-free Vulnerability |
| id | win_patch_ie_v9,win_patch_ie_v10 |
| osvdb | 103354 |
| title | ie_cmarkup_uaf |
| type | client |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 66025 CVE(CAN) ID: CVE-2014-0298 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,"MSHTML Shim Workaround",阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012 id SSV:61754 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter Root title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0298) bulletinFamily exploit description BUGTRAQ ID: 66026 CVE(CAN) ID: CVE-2014-0299 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,"MSHTML Shim Workaround",阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012 id SSV:61753 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter Root title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0299) bulletinFamily exploit description BUGTRAQ ID: 66027 CVE(CAN) ID: CVE-2014-0302 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,"MSHTML Shim Workaround",阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012 id SSV:61755 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter Root title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0302) bulletinFamily exploit description BUGTRAQ ID: 66028 CVE(CAN) ID: CVE-2014-0303 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,"MSHTML Shim Workaround",阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012 id SSV:61756 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter Root title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0303) bulletinFamily exploit description No description provided by source. id SSV:61771 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter nina_Q title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0322) bulletinFamily exploit description No description provided by source. id SSV:86119 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-86119 title MS14-012 Internet Explorer CMarkup Use-After-Free bulletinFamily exploit description No description provided by source. id SSV:86169 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-86169 title MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free bulletinFamily exploit description BUGTRAQ ID: 66023 CVE(CAN) ID: CVE-2014-0297 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,"MSHTML Shim Workaround",阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012 id SSV:61751 last seen 2017-11-19 modified 2014-03-12 published 2014-03-12 reporter Root title Microsoft Internet Explorer内存破坏漏洞(CVE-2014-0297) bulletinFamily exploit description BUGTRAQ ID: 65551 CVE(CAN) ID: CVE-2014-0322 Internet Explorer是微软公司推出的一款网页浏览器。 Microsoft Internet Explorer 10在实现上存在释放后重利用漏洞,攻击者可利用此漏洞修改任意地址处的内存字节,结合Flash ActionScript获取内存读写权限,读出actionscript中对象的虚表指针,从而绕过ASLR;然后使用ROOP技术绕过DEP。 0 Microsoft Internet Explorer 10 临时解决方法: 安装EMET或升级到IE 11以防恶意利用此漏洞。 id SSV:61455 last seen 2017-11-19 modified 2014-02-17 published 2014-02-17 reporter Root title Microsoft Internet Explorer释放后重用远程代码执行漏洞
The Hacker News
| id | THN:94A6EEF7B58D5DE9CCE68307A6FA2B6F |
| last seen | 2018-01-27 |
| modified | 2014-02-15 |
| published | 2014-02-14 |
| reporter | Sudhir K Bansal |
| source | https://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html |
| title | CVE-2014-0322: Internet Explorer zero-day exploit targets US Military Intelligence |
References
- https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip
- http://twitter.com/nanoc0re/statuses/434251658344673281
- http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html
- http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx
- http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
- http://www.kb.cert.org/vuls/id/732479
- http://technet.microsoft.com/security/advisory/2934088
- http://www.exploit-db.com/exploits/32851
- http://www.exploit-db.com/exploits/32904
- http://www.osvdb.org/103354
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012