cbcvebase.
CVE-2014-1776
published 2014-04-27

CVE-2014-1776: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-07-28
Exploited in the wild
EPSS
88.01%
99.7th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenameIePorxyv.dll
path%APPDATA%\vcl.tmp
path%TEMP%\vcl.tmp
filenamevcl.tmp
cookieHTTP Cookie field used to transmit encrypted data to C2
bytes
0xC917432
  • Pirpi.2014 payload (IePorxyv.dll) checks for a configuration file at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp on startup; presence of vcl.tmp is a host-based indicator of compromise.
  • Pirpi C2 communications use HTTP GET requests with encrypted data exfiltrated via the HTTP Cookie header field; network detection should inspect Cookie header contents for anomalous encrypted blobs.
  • The exploit delivery mechanism embeds an encrypted payload inside an animated GIF using steganography; detection should flag animated GIF downloads from exploit-landing pages that contain embedded PE artifacts.
  • Shellcode uses a rotate-right-7 (ror 7) hash algorithm on kernel32.dll export names to resolve API functions; the constant 0xC917432 identifies LoadLibraryA. Detecting ror-7 shellcode patterns or this constant is a strong indicator.
  • Shellcode uses a single-byte XOR algorithm to decrypt the final payload; look for single-byte XOR decryption loops in shellcode extracted from IE exploit traffic.
  • Anomalous VGX.DLL application crashes in IE were observed as a side-effect of exploitation; monitoring for VGX.DLL crash events in EDR/WER telemetry can surface exploitation attempts.
  • The exploit leverages a well-known Flash exploitation technique to bypass ASLR/DEP on Windows; network detection should correlate IE process spawning Flash with subsequent shellcode execution.
  • RC4 encryption is used within the CVE-2014-1776 exploit/payload to obfuscate activity; RC4 key-scheduling patterns in memory or network traffic associated with IE exploitation are a detection opportunity.
  • ·VGX.DLL is NOT the location of the vulnerable code; deregistering it is only an exploit-specific workaround for known attacks, not a general fix.
  • ·The Pirpi.2014 payload uses hardcoded C2 domains encoded inside the binary as a fallback when vcl.tmp is absent; C2 domains may vary per campaign and are not static across all samples.
  • ·The C2 URL structure differs between Pirpi.2014 and Pirpi.2015 variants; URL-pattern-based detection rules must account for variant-specific differences.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.