Vulnerabilities > CVE-2014-6363 - Resource Management Errors vulnerability in Microsoft Internet Explorer and Vbscript
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Internet Explorer 8-11, IIS, CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084). CVE-2014-6363. Remote exp... |
| file | exploits/windows/remote/40721.html |
| id | EDB-ID:40721 |
| last seen | 2016-11-07 |
| modified | 2016-11-07 |
| platform | windows |
| port | |
| published | 2016-11-07 |
| reporter | Skylined |
| source | https://www.exploit-db.com/download/40721/ |
| title | Internet Explorer 8-11, IIS, CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084) |
| type | remote |
Msbulletin
bulletin_id MS14-080 bulletin_url date 2014-12-09T00:00:00 impact Remote Code Execution knowledgebase_id 3008923 knowledgebase_url severity Critical title Cumulative Security Update for Internet Explorer bulletin_id MS14-084 bulletin_url date 2014-12-09T00:00:00 impact Remote Code Execution knowledgebase_id 3016711 knowledgebase_url severity Critical title Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-080.NASL description The version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3008923. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An attacker can exploit these by convincing a user to visit a specially crafted web page. last seen 2020-06-01 modified 2020-06-02 plugin id 79828 published 2014-12-09 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79828 title MS14-080: Cumulative Security Update for Internet Explorer (3008923) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(79828); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2014-6327", "CVE-2014-6328", "CVE-2014-6329", "CVE-2014-6330", "CVE-2014-6363", "CVE-2014-6365", "CVE-2014-6366", "CVE-2014-6368", "CVE-2014-6369", "CVE-2014-6373", "CVE-2014-6374", "CVE-2014-6375", "CVE-2014-6376", "CVE-2014-8966" ); script_bugtraq_id( 71446, 71447, 71448, 71450, 71452, 71453, 71454, 71455, 71456, 71457, 71458, 71460, 71463, 71504 ); script_xref(name:"MSFT", value:"MS14-080"); script_xref(name:"MSKB", value:"3008923"); script_xref(name:"MSKB", value:"3029449"); script_name(english:"MS14-080: Cumulative Security Update for Internet Explorer (3008923)"); script_summary(english:"Checks the version of Mshtml.dll."); script_set_attribute(attribute:"synopsis", value: "The remote host has a web browser installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3008923. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An attacker can exploit these by convincing a user to visit a specially crafted web page."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-080"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Internet Explorer 6, 7, 8, 9, 10, and 11."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-080'; kb = '3008923'; kb2 = '3029449'; kbs = make_list(kb,kb2); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); ie_ver = get_kb_item("SMB/IE/Version"); vuln = 0; # Windows 8 / 2012 Running IE 10 KB3029449 Applied (Rev2.0) if ( ie_ver =~ "^10\." && ( hotfix_is_vulnerable(os:"6.2", file:"Vbscript.dll", version:"5.8.9200.17183", min_version:"5.8.9200.0", dir:"\system32", bulletin:bulletin, kb:kb2) || hotfix_is_vulnerable(os:"6.2", file:"Vbscript.dll", version:"5.8.9200.21299", min_version:"5.8.9200.17900", dir:"\system32", bulletin:bulletin, kb:kb2) ) ) vuln++; if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 with KB2919355 applied hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.17496", min_version:"11.0.9600.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.21299", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.17183", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 7 / 2008 R2 # - Internet Explorer 11 with KB2929437 applied hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.17496", min_version:"11.0.9600.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.21299", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.17183", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20715", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16599", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22874", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18667", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20715", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16599", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23642", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19587", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23528", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19221", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23642", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21420", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5467", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) vuln++; if( vuln ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-084.NASL description The installed version of the VBScript Scripting Engine is affected by a remote code execution vulnerability due to improper handling of objects in memory. By tricking a user into viewing or opening malicious content, an attacker can exploit this to execute arbitrary code on the affected system, subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 79833 published 2014-12-09 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79833 title MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(79833); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2014-6363"); script_bugtraq_id(71504); script_xref(name:"MSFT", value:"MS14-084"); script_xref(name:"MSKB", value:"3012168"); script_xref(name:"MSKB", value:"3012172"); script_xref(name:"MSKB", value:"3012176"); script_name(english:"MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)"); script_summary(english:"Checks the version of Vbscript.dll."); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the installed VBScript Scripting Engine."); script_set_attribute(attribute:"description", value: "The installed version of the VBScript Scripting Engine is affected by a remote code execution vulnerability due to improper handling of objects in memory. By tricking a user into viewing or opening malicious content, an attacker can exploit this to execute arbitrary code on the affected system, subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-084"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003, Vista, 2008, 2008 R2, and 7."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-084'; kbs = make_list( "3012168", "3012172", "3012176" ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); # nb: Microsoft regards this a defense-in-depth update for Server Core so # we won't flag it on that if report_paranoia < 2. if (report_paranoia < 2 && hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); # if IE isn't installed we must still check the vbscript version ie_ver = get_kb_item("SMB/IE/Version"); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); vuln = 0; # VBScript 5.8 kb = "3012176"; # - with IE 8 if ( !isnull(ie_ver) && ie_ver =~ "^8\." && ( # Windows 7 and Windows Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Vbscript.dll", version:"5.8.7601.22856", min_version:"5.8.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Vbscript.dll", version:"5.8.7601.18648", min_version:"5.8.7601.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / Windows 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Vbscript.dll", version:"5.8.6001.23642", min_version:"5.8.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Vbscript.dll", version:"5.8.6001.19587", min_version:"5.8.6001.0", dir:"\System32", bulletin:bulletin, kb:kb) ) ) vuln++; # VBScript 5.8 generally if ( # ie_ver < IE9 (isnull(ie_ver) || (ver_compare(ver:ie_ver, fix:"9.0.0.0") < 0)) && ( # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Vbscript.dll", version:"5.8.6001.23642", min_version:"5.8.6001.0", dir:"\system32", bulletin:bulletin, kb:kb) ) ) vuln++; # VBScript 5.7 kb = "3012172"; if ( # ie_ver < IE9 (isnull(ie_ver) || (ver_compare(ver:ie_ver, fix:"9.0.0.0") < 0)) && ( # Vista / Windows 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Vbscript.dll", version:"5.7.6002.23528", min_version:"5.7.6002.22000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Vbscript.dll", version:"5.7.6002.19221", min_version:"5.7.6002.0", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Vbscript.dll", version:"5.7.6002.23528", min_version:"5.7.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) ) vuln++; # VBScript 5.6 kb = "3012168"; if ( # ie_ver < IE9 (isnull(ie_ver) || (ver_compare(ver:ie_ver, fix:"9.0.0.0") < 0)) && ( # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Vbscript.dll", version:"5.6.0.8853", min_version:"5.6.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) ) vuln++; if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/139598/vbscript-memoryuse.txt |
| id | PACKETSTORM:139598 |
| last seen | 2016-12-05 |
| published | 2016-11-07 |
| reporter | SkyLined |
| source | https://packetstormsecurity.com/files/139598/VBScript-CRegExp-Execute-Uninitialized-Memory-Use.html |
| title | VBScript CRegExp::Execute Uninitialized Memory Use |
References
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-080
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-084
- https://www.exploit-db.com/exploits/40721/
- https://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1075