Vulnerabilities > CVE-2014-4113 - Unspecified vulnerability in Microsoft products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

microsoft

nessus

exploit available

metasploit

NVD

Published: 2014-10-15

Updated: 2024-07-02

Summary

win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 - Microsoft Windows RT - Microsoft Windows 8.1 - Microsoft Windows Server 2008 - Microsoft Windows Server 2008 R2 Microsoft Windows 7 - Microsoft Windows RT 8.1 - Microsoft Windows Vista - Microsoft Windows 8 - Microsoft Windows Server 2003 -	11

Exploit-Db

description	Windows TrackPopupMenu Win32k NULL Pointer Dereference. CVE-2014-4113. Local exploit for windows platform
file	exploits/windows/local/35101.rb
id	EDB-ID:35101
last seen	2016-02-04
modified	2014-10-28
platform	windows
port
published	2014-10-28
reporter	metasploit
source	https://www.exploit-db.com/download/35101/
title	Windows TrackPopupMenu Win32k NULL Pointer Dereference
type	local

description	Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058). CVE-2014-4113. Local exploit for win64 platform
file	exploits/windows_x86-64/local/37064.py
id	EDB-ID:37064
last seen	2016-02-04
modified	2015-05-19
platform	windows_x86-64
port
published	2015-05-19
reporter	ryujin
source	https://www.exploit-db.com/download/37064/
title	Windows 8.0 - 8.1 x64 - TrackPopupMenu Privilege Escalation MS14-058
type	local

description	Abusing Token Privileges For LPE. Papers exploit for Windows platform
id	EDB-ID:42556
last seen	2017-08-28
modified	2017-08-28
published	2017-08-28
reporter	Exploit-DB
source	https://www.exploit-db.com/download/42556/
title	Abusing Token Privileges For LPE

description	Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058). CVE-2014-4113. Local exploit for windows platform
file	exploits/windows/local/39666.txt
id	EDB-ID:39666
last seen	2016-04-06
modified	2016-04-05
platform	windows
port
published	2016-04-05
reporter	MWR InfoSecurity
source	https://www.exploit-db.com/download/39666/
title	Windows Kernel Win32k.sys Privilege Escalation Exploit MS14-058
type	local

description	Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit). CVE-2016-3225. Local exploit for Windows platform. Tags: Metasploit Framework (MSF), Local
file	exploits/windows/local/45562.rb
id	EDB-ID:45562
last seen	2018-10-08
modified	2018-10-08
platform	windows
port
published	2018-10-08
reporter	Exploit-DB
source	https://www.exploit-db.com/download/45562/
title	Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
type	local

id	EDB-ID:46945
last seen	2019-05-30
modified	2014-11-24
published	2014-11-24
reporter	Exploit-DB
source	https://www.exploit-db.com/download/46945
title	Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)

Metasploit

description	Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.
id	MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION
last seen	2020-06-09
modified	2018-10-04
published	2018-08-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3225 http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/ https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://github.com/breenmachine/RottenPotatoNG
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_075_reflection.rb
title	Windows Net-NTLMv2 Reflection DCOM/RPC

description	This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. Windows 10 after version 1803, (April 2018 update, build 17134) and all versions of Windows Server 2019 are not vulnerable.
id	MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION_JUICY
last seen	2020-06-09
modified	2020-02-20
published	2019-01-10
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3225 http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/ https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://github.com/breenmachine/RottenPotatoNG https://decoder.cloud/2017/12/23/the-lonely-potato/ https://ohpe.it/juicy-potato/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_075_reflection_juicy.rb
title	Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)

description	This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
id	MSF:EXPLOIT/WINDOWS/LOCAL/MS14_058_TRACK_POPUP_MENU
last seen	2020-06-10
modified	2018-10-28
published	2014-10-23
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4113 http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms14_058_track_popup_menu.rb
title	Windows TrackPopupMenu Win32k NULL Pointer Dereference

Msbulletin

bulletin_id	MS14-058
bulletin_url
date	2014-10-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	3000061
knowledgebase_url
severity	Critical
title	Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS14-058.NASL
description	The remote Windows host is affected by multiple vulnerabilities : - A privilege escalation vulnerability allows an attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling objects in memory. (CVE-2014-4113) - A remote code execution vulnerability allows a remote attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling TrueType fonts. An attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing a specially crafted TrueType font file. (CVE-2014-4148)
last seen	2020-06-01
modified	2020-06-02
plugin id	78433
published	2014-10-15
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/78433
title	MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(78433); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2014-4113", "CVE-2014-4148"); script_bugtraq_id(70364, 70429); script_xref(name:"EDB-ID", value:"35101"); script_xref(name:"MSFT", value:"MS14-058"); script_xref(name:"MSKB", value:"3000061"); script_name(english:"MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)"); script_summary(english:"Checks the version of Win32k.sys."); script_set_attribute(attribute:"synopsis", value:"The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is affected by multiple vulnerabilities : - A privilege escalation vulnerability allows an attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling objects in memory. (CVE-2014-4113) - A remote code execution vulnerability allows a remote attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling TrueType fonts. An attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing a specially crafted TrueType font file. (CVE-2014-4148)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-058"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows TrackPopupMenu Win32k NULL Pointer Dereference'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-058'; kb = "3000061"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17353", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 8 / Windows Server 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21247", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17130", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22823", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18615", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23504", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19198", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5445", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/131964/trackpopupmenu-escalate.txt
id	PACKETSTORM:131964
last seen	2016-12-05
published	2015-05-21
reporter	Matteo Memelli
source	https://packetstormsecurity.com/files/131964/Windows-8.0-8.1-x64-TrackPopupMenu-Privilege-Escalation.html
title	Windows 8.0 / 8.1 x64 TrackPopupMenu Privilege Escalation

data source	https://packetstormsecurity.com/files/download/149689/ms16_075_reflection.rb.txt
id	PACKETSTORM:149689
last seen	2018-10-06
published	2018-10-05
reporter	Mumbai
source	https://packetstormsecurity.com/files/149689/Windows-Net-NTLMv2-Reflection-DCOM-RPC.html
title	Windows Net-NTLMv2 Reflection DCOM/RPC

data source	https://packetstormsecurity.com/files/download/128861/ms14_058_track_popup_menu.rb.txt
id	PACKETSTORM:128861
last seen	2016-12-05
published	2014-10-28
reporter	Spencer McIntyre
source	https://packetstormsecurity.com/files/128861/Windows-TrackPopupMenu-Win32k-NULL-Pointer-Dereference.html
title	Windows TrackPopupMenu Win32k NULL Pointer Dereference

data source	https://packetstormsecurity.com/files/download/151182/ms16_075_reflection_juicy.rb.txt
id	PACKETSTORM:151182
last seen	2019-01-16
published	2019-01-16
reporter	breenmachine
source	https://packetstormsecurity.com/files/151182/Microsoft-Windows-Net-NTLMv2-Reflection-DCOM-RPC-Privilege-Escalation.html
title	Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:87348
last seen	2017-11-19
modified	2014-11-13
published	2014-11-13
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-87348
title	Windows TrackPopupMenu Win32k NULL Pointer Dereference

bulletinFamily	exploit
description	No description provided by source.
id	SSV:90702
last seen	2017-11-19
modified	2016-01-29
published	2016-01-29
reporter	Snowflakes
title	MS14-058 Windows内核提权漏洞 (CVE-2014-4113)

The Hacker News

id	THN:2A7DE929E5909B366E6F490ABBF0A6C1
last seen	2019-05-29
modified	2019-05-29
published	2019-05-29
reporter	The Hacker News
source	https://thehackernews.com/2019/05/hacking-mysql-phpmyadmin.html
title	Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

id	THN:675EE08758C0AD2D11F9BC33AB15EA32
last seen	2018-01-27
modified	2016-07-13
published	2016-07-13
reporter	Swati Khandelwal
source	https://thehackernews.com/2016/07/scada-malware-energy.html
title	State-Sponsored SCADA Malware targeting European Energy Companies

id	THN:083E49FCE8774369B5F2FAEDBE3F18A3
last seen	2018-01-27
modified	2014-10-15
published	2014-10-15
reporter	Swati Khandelwal
source	https://thehackernews.com/2014/10/microsoft-patches-3-zero-day_15.html
title	Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Msbulletin

Nessus

Packetstorm

Seebug

The Hacker News

References