CVE-2014-0307
published 2014-03-12CVE-2014-0307: Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
72.24%
99.4th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x0c\xfe\xff\xff
- →Exploit targets IE9 builds between 9.0.8112.16496 and 9.0.8112.16533 exclusively; traffic from these specific MSHTML builds should be treated as high-risk. ↗
- →Exploit delivery requires the browser to navigate to the ms-help: URI scheme, which triggers hxds.dll loading; monitor for ms-help: URI navigations from IE processes. ↗
- →Exploit HTML contains a heap spray via sprayHeap() with unescape-encoded shellcode; detect large blocks of repeated heap allocations containing NOP sleds in IE renderer processes. ↗
- →The exploit manipulates a specific set of HTML elements (FOOTER, VIDEO, HTML, DIV, WBR, THEAD, PARAM, SECTION, IMG, TIME, ASISE, CANVAS, P, RT, FRAMESET, TRACK, CAPTION) in sequence to trigger the TextRange use-after-free; presence of this element list in a page is a strong indicator. ↗
- →ROP chain uses gadgets from hxds.dll (addresses 0x51C3B376, 0x51C2046E, 0x51BE4A41); memory scanning for these gadget addresses in IE process memory is indicative of exploitation. ↗
- →Stack pivot prepend encoder bytes \x81\xc4\x0c\xfe\xff\xff (add esp, -500) appear at the start of shellcode; scan for this byte sequence in memory or network payloads. ↗
- →Metasploit module requires Office 2010 to be installed on the target (used for hxds.dll); correlate IE9 exploitation attempts with hosts having Office 2010 installed. ↗
- ·The exploit only affects a narrow range of MSHTML builds; systems patched before or after the vulnerable window (August 2013 – March 2014) are not affected. ↗
- ·The Metasploit module disables retries and uses a single-attempt exploitation model; repeated connection attempts from the same client are not expected in this attack pattern. ↗
- ·UA fingerprinting for IE version was disabled in the module due to a known issue with os_detect; version-based browser filtering may not be reliable for this exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)
exploitdb·2014-03-22
CVE-2014-0307 Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)
Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-012 Internet Explorer TextRange Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw
was most likely introduced back in 2013, therefore only certain builds of MSHTML are
affected. In our testing with IE9, these vulnerable builds appear to be between
9.0.8112.16496 and 9.0.8112.16533, which implies August 2013 until early March 2014
(before the patch).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jason Kratzer', # Original discovery
'sinn3r' # Port
],
'Refer
Metasploit
MS14-012 Microsoft Internet Explorer TextRange Use-After-Free
metasploit
MS14-012 Microsoft Internet Explorer TextRange Use-After-Free
MS14-012 Microsoft Internet Explorer TextRange Use-After-Free
This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw was most likely introduced in 2013, therefore only certain builds of MSHTML are affected. In our testing with IE9, these vulnerable builds appear to be between 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between August 2013, when it was introduced, until the fix issued in early March 2014.
2014-03-12
Published