cbcvebase.
CVE-2014-4076
published 2014-11-11

CVE-2014-4076: Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of…

PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.67%
97.4th percentile
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

other0x00120028
filenametcpip.sys
filenametcpip6.sys
version5.2.3790.4573
bytes
\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00
bytes
\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00
  • Monitor for calls to NtDeviceIoControlFile / ZwDeviceIoControlFile targeting the TCP device (\Device\Tcp) with IOCTL code 0x00120028 from user-mode processes, which is the specific IOCTL that triggers the tcpip!SetAddrOptions NULL pointer dereference.
  • Detect low-address virtual memory allocation (ZwAllocateVirtualMemory / NtAllocateVirtualMemory) at addresses near NULL (e.g., 0x0–0x1000 range) from user-mode processes on Windows Server 2003, which is required for the NULL-page shellcode placement used in this exploit.
  • Detect WriteProcessMemory calls writing to low virtual addresses (0x28, 0x38, 0x1100, 0x2000, 0x2b) in the current process (handle 0xFFFFFFFF), a pattern unique to this exploit's memory setup.
  • Alert on crash/exception in tcpip!SetAddrOptions+0x1d (mov ebx, dword ptr [esi+28h]) with esi=0, indicating the NULL pointer dereference at the vulnerable code path.
  • Look for exploit binaries named MS14-070.exe or processes spawning cmd.exe with the argument '/K cd c:\windows\system32' from non-interactive or low-privilege parent processes as a post-exploitation indicator.
  • ·The exploit and IOCTL trigger (0x00120028) are specific to Windows Server 2003 SP2 (tcpip.sys version 5.2.3790.4573) on x86, x64, and Itanium architectures. The Metasploit module and public PoCs only support x86. Detection rules targeting low-address memory allocation may generate false positives on systems where the null-page protection is not enforced (pre-Vista Windows).
  • ·The patch KB2989935 remediates this vulnerability; systems with this update installed are not affected. Verify patch status before deploying detection rules to avoid alert fatigue on patched hosts.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.