cbcvebase.
CVE-2014-0307
published 2014-03-12

CVE-2014-0307: Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
72.24%
99.4th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlms-help:
other0x0c0d1020
other0x51C3B376
other0x51C2046E
other0x51BE4A41
filenamehxds.dll
bytes
\x81\xc4\x0c\xfe\xff\xff
  • Exploit targets IE9 builds between 9.0.8112.16496 and 9.0.8112.16533 exclusively; traffic from these specific MSHTML builds should be treated as high-risk.
  • Exploit delivery requires the browser to navigate to the ms-help: URI scheme, which triggers hxds.dll loading; monitor for ms-help: URI navigations from IE processes.
  • Exploit HTML contains a heap spray via sprayHeap() with unescape-encoded shellcode; detect large blocks of repeated heap allocations containing NOP sleds in IE renderer processes.
  • The exploit manipulates a specific set of HTML elements (FOOTER, VIDEO, HTML, DIV, WBR, THEAD, PARAM, SECTION, IMG, TIME, ASISE, CANVAS, P, RT, FRAMESET, TRACK, CAPTION) in sequence to trigger the TextRange use-after-free; presence of this element list in a page is a strong indicator.
  • ROP chain uses gadgets from hxds.dll (addresses 0x51C3B376, 0x51C2046E, 0x51BE4A41); memory scanning for these gadget addresses in IE process memory is indicative of exploitation.
  • Stack pivot prepend encoder bytes \x81\xc4\x0c\xfe\xff\xff (add esp, -500) appear at the start of shellcode; scan for this byte sequence in memory or network payloads.
  • Metasploit module requires Office 2010 to be installed on the target (used for hxds.dll); correlate IE9 exploitation attempts with hosts having Office 2010 installed.
  • ·The exploit only affects a narrow range of MSHTML builds; systems patched before or after the vulnerable window (August 2013 – March 2014) are not affected.
  • ·The Metasploit module disables retries and uses a single-attempt exploitation model; repeated connection attempts from the same client are not expected in this attack pattern.
  • ·UA fingerprinting for IE version was disabled in the module due to a known issue with os_detect; version-based browser filtering may not be reliable for this exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.