Vulnerabilities > CVE-2014-0322 - Use After Free vulnerability in Microsoft Internet Explorer 10/9

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
microsoft
CWE-416
nessus
exploit available
metasploit

Summary

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionMicrosoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012). CVE-2014-0322. Remote exploit for windows platform
    fileexploits/windows/remote/32851.html
    idEDB-ID:32851
    last seen2016-02-03
    modified2014-04-14
    platformwindows
    port
    published2014-04-14
    reporterJean-Jamil Khalife
    sourcehttps://www.exploit-db.com/download/32851/
    titleMicrosoft Internet Explorer 10 - CMarkup Use-After-Free MS14-012
    typeremote
  • descriptionMS14-012 Microsoft Internet Explorer CMarkup Use-After-Free. CVE-2014-0322. Remote exploit for windows platform
    fileexploits/windows/remote/32904.rb
    idEDB-ID:32904
    last seen2016-02-03
    modified2014-04-16
    platformwindows
    port
    published2014-04-16
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/32904/
    titleMicrosoft Internet Explorer - CMarkup Use-After-Free MS14-012
    typeremote

Metasploit

descriptionThis module exploits an use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF
last seen2020-05-22
modified2017-07-24
published2014-04-15
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
titleMS14-012 Microsoft Internet Explorer CMarkup Use-After-Free

Msbulletin

bulletin_idMS14-012
bulletin_url
date2014-03-11T00:00:00
impactRemote Code Execution
knowledgebase_id2925418
knowledgebase_url
severityCritical
titleCumulative Security Update for Internet Explorer

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS14-012.NASL
    descriptionThe remote host is missing Internet Explorer (IE) Security Update 2925418. The installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id72930
    published2014-03-11
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72930
    titleMS14-012: Cumulative Security Update for Internet Explorer (2925418)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72930);
      script_version("1.21");
      script_cvs_date("Date: 2018/11/15 20:50:31");
    
      script_cve_id(
        "CVE-2014-0297",
        "CVE-2014-0298",
        "CVE-2014-0299",
        "CVE-2014-0302",
        "CVE-2014-0303",
        "CVE-2014-0304",
        "CVE-2014-0305",
        "CVE-2014-0306",
        "CVE-2014-0307",
        "CVE-2014-0308",
        "CVE-2014-0309",
        "CVE-2014-0311",
        "CVE-2014-0312",
        "CVE-2014-0313",
        "CVE-2014-0314",
        "CVE-2014-0321",
        "CVE-2014-0322",
        "CVE-2014-0324",
        "CVE-2014-4112"
      );
      script_bugtraq_id(
        65551,
        66023,
        66025,
        66026,
        66027,
        66028,
        66029,
        66030,
        66031,
        66032,
        66033,
        66034,
        66035,
        66036,
        66037,
        66038,
        66039,
        66040,
        70266
      );
      script_xref(name:"CERT", value:"732479");
      script_xref(name:"EDB-ID", value:"32851");
      script_xref(name:"EDB-ID", value:"32438");
      script_xref(name:"EDB-ID", value:"32904");
      script_xref(name:"MSFT", value:"MS14-012");
      script_xref(name:"MSKB", value:"2925418");
    
      script_name(english:"MS14-012: Cumulative Security Update for Internet Explorer (2925418)");
      script_summary(english:"Checks version of Mshtml.dll");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has a web browser that is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is missing Internet Explorer (IE) Security Update
    2925418.
    
    The installed version of IE is affected by multiple privilege
    escalation and memory corruption vulnerabilities that could allow an
    attacker to execute arbitrary code on the remote host. Additionally,
    the installed version of IE is affected by an information disclosure
    vulnerability.");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-030/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-031/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-032/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-033/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-034/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-035/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-036/");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,
    2008 R2, 8, 2012, 8.1, and 2012 R2.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS14-012';
    kb = '2925418';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Windows 8.1 / 2012 R2
      #
      # - Internet Explorer 11
      hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # Windows 8 / 2012
      #
      # - Internet Explorer 10
      hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
    
      # Windows 7 / 2008 R2
      # - Internet Explorer 11
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.16521", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 10
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.20963", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16843", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 9
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 8
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22597", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18392", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) ||
    
      # Vista / 2008
      #
      # - Internet Explorer 9
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20651", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16540", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 8
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19507", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 7
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23330", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19041", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
    
      # Windows 2003 / XP 64-bit
      #
      # - Internet Explorer 8
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 7
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 6
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5294",  min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
    
      # Windows XP x86
      #
      # - Internet Explorer 8
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23569", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 7
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21371", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
      # - Internet Explorer 6
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6512",  min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB2934088.NASL
    descriptionThe remote host is missing one of the workarounds referenced in KB 2934088. The remote Internet Explorer install is affected by a use after free vulnerability in the MSHTML CMarkup component. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.
    last seen2017-10-29
    modified2017-08-30
    plugin id72605
    published2014-02-20
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=72605
    titleMS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution
    code
    #%NASL_MIN_LEVEL 999999
    
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # @DEPRECATED@
    #
    # Disabled on 2014/03/11.  Deprecated by smb_nt_ms14-012.nasl
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72605);
      script_version("1.11");
      script_cvs_date("Date: 2018/07/27 18:38:15");
    
      script_cve_id("CVE-2014-0322");
      script_bugtraq_id(65551);
      script_xref(name:"CERT", value:"732479");
      script_xref(name:"MSKB", value:"2934088");
    
      script_name(english:"MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution");
      script_summary(english:"Checks if workarounds referenced in KB article have been applied.");
    
      script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability.");
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host is missing one of the workarounds referenced in KB
    2934088. 
    
    The remote Internet Explorer install is affected by a use after free
    vulnerability in the MSHTML CMarkup component.  By exploiting this flaw,
    a remote, unauthenticated attacker could execute arbitrary code on the
    remote host subject to the privileges of the user running the affected
    application.");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/advisory/2934088");
      script_set_attribute(
        attribute:"solution",
        value:
    "Apply the IE settings workarounds suggested by Microsoft in the
    advisory, or apply the MSHTML Shim workaround in the Microsoft
    'Fix it' solution."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/02/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/IE/Version");
      script_require_ports(139, 445);
      exit(0);
    }
    
    # Deprecated.
    exit(0, "This plugin has been deprecated. Use plugin #72930 (smb_nt_ms14-012.nasl) instead.");
    
    
    include('audit.inc');
    include('global_settings.inc');
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    # only IE 9 and 10 affected
    version = get_kb_item_or_exit("SMB/IE/Version");
    v = split(version, sep:".", keep:FALSE);
    if (int(v[0]) != 9 && int(v[0]) != 10) audit(AUDIT_INST_VER_NOT_VULN, "IE", version);
    
    registry_init();
    
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    
    systemroot = hotfix_get_systemroot();
    if (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');
    
    guid = '{25408f0a-987b-4ab0-a5ac-2ddb89ff22cf}';
    path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid);
    RegCloseKey(handle:hklm);
    
    if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb';
    
    # Now make sure the file is in place
    if (hotfix_file_exists(path:path))
    {
      hotfix_check_fversion_end();
      exit(0, "The host is not affected since the Microsoft 'Fix it' has been applied.");
    }
    
    # hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect
    registry_init();
    
    emet_info = '';
    
    emet_installed = FALSE;
    emet_with_ie   = FALSE;
    
    if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed")))
      emet_installed = TRUE;
    
    # Check if EMET is configured with IE.
    # The workaround does not specifically ask to enable DEP
    # but if IE is configured with EMET, dep is enabled by default.
    
    emet_list = get_kb_list("SMB/Microsoft/EMET/*");
    if (!isnull(emet_list))
    {
      foreach entry (keys(emet_list))
      {
        if ("iexplore.exe" >< entry && "/dep" >< entry)
        {
          dep = get_kb_item(entry);
          if (!isnull(dep) && dep == 1)
            emet_with_ie = TRUE;
        }
      }
    }
    
    if (!emet_installed)
    {
      emet_info =
      '\n  Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +
      '\n  installed.';
    }
    else if (emet_installed)
    {
      if (!emet_with_ie)
      {
        emet_info =
        '\n  Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +
        '\n  installed, however Internet Explorer is not configured with EMET.';
      }
    }
    
    info_user_settings = '';
    
    # check mitigation per user
    hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);
    subkeys = get_registry_subkeys(handle:hku, key:'');
    
    foreach key (subkeys)
    {
      if ('.DEFAULT' >< key || 'Classes' >< key ||
         key =~ "^S-1-5-\d{2}$") # skip built-in accounts
        continue;
    
      mitigation = FALSE;
    
    # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones"
      key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel';
      key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel';
    
      value = get_registry_value(handle:hku, item:key + key_part_intranet);
      value1 = get_registry_value(handle:hku, item:key + key_part_internet);
    
      if (isnull(value) && isnull(value1))
        continue;
    
      # 0x00012000 = 73728 = High Security
      if (!isnull(value) && !isnull(value1) &&
         value == 73728 && value1 == 73728)
        mitigation = TRUE;
    
      # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone"
      key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400';
      key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400';
    
      value = get_registry_value(handle:hku, item:key + key_part_intranet);
      value1 = get_registry_value(handle:hku, item:key + key_part_internet);
    
      # 1 = prompt, 3 = disable
      if (!isnull(value) && !isnull(value1) &&
         (value == 1 || value == 3) && (value1 == 1 || value1 == 3))
        mitigation = TRUE;
    
      if (!mitigation)
        info_user_settings += '\n    ' + key + ' (Active Scripting Enabled)';
    }
    
    RegCloseKey(handle:hku);
    
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    
    # check if user settings have been overridden by what is in HKLM
    # note: Security_HKLM_only can be set by group policy
    value = get_registry_value(handle:hklm, item:'SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only');
    
    if (info_user_settings != '' && !isnull(value) && value == 1)
    {
      mitigation = FALSE;
    
    # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones"
      key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel';
      key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel';
    
      value = get_registry_value(handle:hklm, item:key_part_intranet);
      value1 = get_registry_value(handle:hklm, item:key_part_internet);
    
      # 0x00012000 = 73728 = High Security
      if (!isnull(value) && !isnull(value1) &&
         value == 73728 && value1 == 73728)
        mitigation = TRUE;
    
      # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone"
      key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400';
      key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400';
    
      value = get_registry_value(handle:hklm, item:key_part_intranet);
      value1 = get_registry_value(handle:hklm, item:key_part_internet);
    
      # 1 = prompt, 3 = disable
      if (!isnull(value) && !isnull(value1) &&
         (value == 1 || value == 3) && (value1 == 1 || value1 == 3))
        mitigation = TRUE;
    
      if (mitigation)
        info_user_settings = '';
    }
    
    RegCloseKey(handle:hklm);
    
    close_registry();
    
    if (info_user_settings != '')
    {
      port = kb_smb_transport();
    
      if (report_verbosity > 0)
      {
        if (emet_info != '')
          report =
          '\n  The remote host is missing the MSHTML Shim workaround and the' +
          '\n  following users have vulnerable IE settings :' + info_user_settings + '\n' + emet_info + '\n';
        else
          report =
          '\n  The remote host is missing the MSHTML Shim workaround and the' +
          '\n  following users have vulnerable IE settings :' + info_user_settings + '\n';
    
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else exit(0, "The host is not affected since a workaround has been applied.");
    

Packetstorm

Saint

bid65551
descriptionInternet Explorer CMarkup Object Handling Use-after-free Vulnerability
idwin_patch_ie_v9,win_patch_ie_v10
osvdb103354
titleie_cmarkup_uaf
typeclient

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 66025 CVE(CAN) ID: CVE-2014-0298 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,&quot;MSHTML Shim Workaround&quot;,阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012
    idSSV:61754
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporterRoot
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0298)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 66026 CVE(CAN) ID: CVE-2014-0299 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,&quot;MSHTML Shim Workaround&quot;,阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012
    idSSV:61753
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporterRoot
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0299)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 66027 CVE(CAN) ID: CVE-2014-0302 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,&quot;MSHTML Shim Workaround&quot;,阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012
    idSSV:61755
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporterRoot
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0302)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 66028 CVE(CAN) ID: CVE-2014-0303 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,&quot;MSHTML Shim Workaround&quot;,阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012
    idSSV:61756
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporterRoot
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0303)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:61771
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporternina_Q
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0322)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:86119
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-86119
    titleMS14-012 Internet Explorer CMarkup Use-After-Free
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:86169
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-86169
    titleMS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 66023 CVE(CAN) ID: CVE-2014-0297 Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer 没有正确访问内存对象,在实现上存在远程代码执行漏洞,成功利用后可破坏内存,在当前用户权限下执行任意代码。 0 Microsoft Internet Explorer 6-11 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 设置互联网和内联网安全区域设置为“高” * 配置IE在运行活动脚本之前提示或直接禁用。 * 应用Microsoft Fix it解决方案,&quot;MSHTML Shim Workaround&quot;,阻止利用CVE-2014-0322。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS14-012)以及相应补丁: MS14-012:Cumulative Security Update for Internet Explorer (2925418) 链接:http://technet.microsoft.com/security/bulletin/MS14-012
    idSSV:61751
    last seen2017-11-19
    modified2014-03-12
    published2014-03-12
    reporterRoot
    titleMicrosoft Internet Explorer内存破坏漏洞(CVE-2014-0297)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 65551 CVE(CAN) ID: CVE-2014-0322 Internet Explorer是微软公司推出的一款网页浏览器。 Microsoft Internet Explorer 10在实现上存在释放后重利用漏洞,攻击者可利用此漏洞修改任意地址处的内存字节,结合Flash ActionScript获取内存读写权限,读出actionscript中对象的虚表指针,从而绕过ASLR;然后使用ROOP技术绕过DEP。 0 Microsoft Internet Explorer 10 临时解决方法: 安装EMET或升级到IE 11以防恶意利用此漏洞。
    idSSV:61455
    last seen2017-11-19
    modified2014-02-17
    published2014-02-17
    reporterRoot
    titleMicrosoft Internet Explorer释放后重用远程代码执行漏洞

The Hacker News

idTHN:94A6EEF7B58D5DE9CCE68307A6FA2B6F
last seen2018-01-27
modified2014-02-15
published2014-02-14
reporterSudhir K Bansal
sourcehttps://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html
titleCVE-2014-0322: Internet Explorer zero-day exploit targets US Military Intelligence