cbcvebase.
CVE-2014-0322
published 2014-02-14

CVE-2014-0322: Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-25
Exploited in the wild
EPSS
85.24%
99.7th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenameshadow.jpg
filenamewindump.exe
path%TEMP%\windump.exe
sigma
Snort SID 36426
sigma
Snort SID 364267
sigma
Snort SID 36346
sigma
Snort SID 36347
sigma
Snort SID 36348
bytes
0xDEADBEEF41414141
  • Exploit uses Flash (.swf) to set up heap memory layout in the IE process, then triggers the UAF bug via an ExternalInterface call from ActionScript to a JavaScript/VBScript function. Detection should look for SWF files making ExternalInterface calls coinciding with IE UAF conditions.
  • Exploit ActionScript contains unused variables 'org' (string value 'vector') and 'found' (Boolean) left over from CVE-2013-3163 template reuse — presence of both in decompiled ActionScript is a strong indicator of this exploit family.
  • The Timer object in the exploit ActionScript is set to repeat every 1 second for exactly 4,096 seconds — this specific timer configuration is a shared fingerprint across the CVE-2013-3163/CVE-2014-0322/CVE-2014-1776 exploit family.
  • ROP chain is triggered by overwriting a Sound object's vtable and calling toString() — monitor for vtable overwrites on Sound objects in Flash within IE processes.
  • Shellcode calls NtSetContextThread to overwrite debug registers and disable EMET's EAF feature — monitor for NtSetContextThread calls from browser/Flash processes modifying debug registers (DR0–DR7).
  • Shellcode checks for presence of EMET.dll in the IE process before choosing execution path — presence of EMET.dll load check in shellcode is a behavioral indicator.
  • The exploit heap spray uses a 0x18180-element vector, each element 0x3FE bytes in size — this specific spray pattern can be detected in memory or via behavioral analysis.
  • Group 72 (Axiom) C2 domain naming pattern: domains are named after the intended victim organization, following patterns like companyname.attackerdomain.com or companyacronym.attackerdomain.com.
  • DeputyDog RAT samples associated with this CVE's threat actor use campaign codes 'kumanichi' and 'moon' — these strings can be used as YARA/memory scan anchors.
  • ·The Palo Alto Networks Threat Prevention signature IDs for CVE-2014-0322 (#36426, #364267, #36346, #36347, #36348) are specific to Palo Alto Networks content releases and require a Threat Prevention subscription with content release 433-2194 or later.
  • ·The deferred-free bypass technique (forcing TotalMemorySize > 0x186A0) applies specifically to the MemoryProtection::CMemoryProtector introduced in IE patches from July 2014 — the threshold value 0x186A0 is hardcoded and may differ across patch levels.
  • ·The EMET bypass in the associated SWF shellcode is described as incomplete — it would be caught by EMET's stack pivot check on VirtualAlloc, meaning EMET 4.1 with stack pivot protection enabled would still block the exploit.
  • ·The Flash-based exploit component and the HTML page must both be present and combined for a successful attack — capturing only one component is insufficient to reproduce or fully detect the exploit.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.