Vulnerabilities > CVE-2014-1767 - Double Free vulnerability in Microsoft products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

microsoft

CWE-415

nessus

exploit available

NVD

Published: 2014-07-08

Updated: 2018-10-12

Summary

Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability." <a href="http://cwe.mitre.org/data/definitions/415.html" target="_blank">CWE-415: Double Free</a>

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 7 * Microsoft Windows 8 * Microsoft Windows 8.1 * Microsoft Windows RT - Microsoft Windows RT 8.1 - Microsoft Windows Server 2003 * Microsoft Windows Server 2008 * Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2 Microsoft Windows Vista *	11

Common Weakness Enumeration (CWE)

CWE-415 - Double Free

Exploit-Db

description	Microsoft Windows - AFD.SYS Privilege Escalation (MS14-040) Win7x64. CVE-2014-1767. Local exploit for win64 platform
file	exploits/windows_x86-64/local/39525.py
id	EDB-ID:39525
last seen	2016-03-09
modified	2016-03-07
platform	windows_x86-64
port
published	2016-03-07
reporter	Rick Larabee
source	https://www.exploit-db.com/download/39525/
title	Microsoft Windows - AFD.SYS Privilege Escalation MS14-040 Win7x64
type	local

description	Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040). CVE-2014-1767. Local exploit for win32 platform
file	exploits/windows_x86/local/39446.py
id	EDB-ID:39446
last seen	2016-02-21
modified	2016-02-15
platform	windows_x86
port
published	2016-02-15
reporter	Rick Larabee
source	https://www.exploit-db.com/download/39446/
title	Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation MS14-040
type	local

Msbulletin

bulletin_id	MS14-040
bulletin_url
date	2014-07-08T00:00:00
impact	Elevation of Privilege
knowledgebase_id	2975684
knowledgebase_url
severity	Important
title	Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS14-040.NASL
description	The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that is affected by a privilege escalation vulnerability. The flaw is due to the Ancillary Function Driver not properly processing user-supplied input, leading to a double free scenario, allowing a local attacker to elevate privileges by running a specially crafted application.
last seen	2020-06-01
modified	2020-06-02
plugin id	76409
published	2014-07-08
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/76409
title	MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76409); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2014-1767"); script_bugtraq_id(68394); script_xref(name:"MSFT", value:"MS14-040"); script_xref(name:"MSKB", value:"2973408"); script_xref(name:"MSKB", value:"2961072"); script_name(english:"MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)"); script_summary(english:"Checks version of Afd.sys"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a driver that allows elevation of privilege."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that is affected by a privilege escalation vulnerability. The flaw is due to the Ancillary Function Driver not properly processing user-supplied input, leading to a double free scenario, allowing a local attacker to elevate privileges by running a specially crafted application."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-040"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-220/"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/08"); script_set_attribute(attribute:"patch_publication_date", value:"2014/07/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS14-040'; pp81kb = '2973408'; kb = '2961072'; subkbs = make_list(kb, pp81kb); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:subkbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Server 2012 R2 Pre-Patch hotfix_is_vulnerable(os:"6.3", sp:0, file:"Afd.sys", version:"6.3.9600.16668", min_version:"6.3.9600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:pp81kb) \|\| # Windows 8.1 / Server 2012 R2 Post-Patch hotfix_is_vulnerable(os:"6.3", sp:0, file:"Afd.sys", version:"6.3.9600.17194", min_version:"6.3.9600.17000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows 8 / 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Afd.sys", version:"6.2.9200.21133", min_version:"6.2.9200.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"Afd.sys", version:"6.2.9200.17014", min_version:"6.2.9200.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows 7 / 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Afd.sys", version:"6.1.7601.22705", min_version:"6.1.7601.22000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Afd.sys", version:"6.1.7601.18489", min_version:"6.1.7600.17000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows Vista / 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Afd.sys", version:"6.0.6002.23414", min_version:"6.0.6002.23000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Afd.sys", version:"6.0.6002.19115", min_version:"6.0.6002.18000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Afd.sys", version:"5.2.3790.5358", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/135795/MS14-040.txt
id	PACKETSTORM:135795
last seen	2016-12-05
published	2016-02-16
reporter	Rick Larabee
source	https://packetstormsecurity.com/files/135795/Microsoft-AFD.SYS-Dangling-Pointer-Privilege-Escalation.html
title	Microsoft AFD.SYS Dangling Pointer Privilege Escalation

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:93040
last seen	2017-11-19
modified	2017-04-25
published	2017-04-25
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-93040
title	MS14-040 Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (CVE-2014-1767)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Msbulletin

Nessus

Packetstorm

Seebug

References