CVE-2014-4076
published 2014-11-11CVE-2014-4076: Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of…
PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.67%
97.4th percentile
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00
bytes↗
\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00
- →Monitor for calls to NtDeviceIoControlFile / ZwDeviceIoControlFile targeting the TCP device (\Device\Tcp) with IOCTL code 0x00120028 from user-mode processes, which is the specific IOCTL that triggers the tcpip!SetAddrOptions NULL pointer dereference. ↗
- →Detect low-address virtual memory allocation (ZwAllocateVirtualMemory / NtAllocateVirtualMemory) at addresses near NULL (e.g., 0x0–0x1000 range) from user-mode processes on Windows Server 2003, which is required for the NULL-page shellcode placement used in this exploit. ↗
- →Detect WriteProcessMemory calls writing to low virtual addresses (0x28, 0x38, 0x1100, 0x2000, 0x2b) in the current process (handle 0xFFFFFFFF), a pattern unique to this exploit's memory setup. ↗
- →Alert on crash/exception in tcpip!SetAddrOptions+0x1d (mov ebx, dword ptr [esi+28h]) with esi=0, indicating the NULL pointer dereference at the vulnerable code path. ↗
- →Look for exploit binaries named MS14-070.exe or processes spawning cmd.exe with the argument '/K cd c:\windows\system32' from non-interactive or low-privilege parent processes as a post-exploitation indicator. ↗
- ·The exploit and IOCTL trigger (0x00120028) are specific to Windows Server 2003 SP2 (tcpip.sys version 5.2.3790.4573) on x86, x64, and Itanium architectures. The Metasploit module and public PoCs only support x86. Detection rules targeting low-address memory allocation may generate false positives on systems where the null-page protection is not enforced (pre-Vista Windows). ↗
- ·The patch KB2989935 remediates this vulnerability; systems with this update installed are not affected. Verify patch status before deploying detection rules to avoid alert fatigue on patched hosts. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wcj9-qvpq-7gwq: Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip
ghsa_unreviewed·2022-05-14
CVE-2014-4076 [HIGH] GHSA-wcj9-qvpq-7gwq: Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."
VulnCheck
TCP/IP Elevation of Privilege Vulnerability
vulncheck·2014·CVSS 7.2
CVE-2014-4076 [HIGH] TCP/IP Elevation of Privilege Vulnerability
TCP/IP Elevation of Privilege Vulnerability
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.recordedfuture.com/russian-apt-toolkits; https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/; https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.logpoint.com/wp-content/uploads/2024/06/logpoint-etpr-forest-blizzard.pd
No detection rules found.
Exploit-DB
Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
exploitdb·2015-08-12
CVE-2014-4076 Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
---
/*
################################################################
# Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070)
# Date: 2015-08-10
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows 2003 SP2 x86
# Tested on:
# Windows 2003 SP2 x86 EN
# CVE ID: 2014-4076
# OSVDB-ID: 114532
################################################################
# Vulnerability description:
# Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to
# properly handle objects in memory during IOCTL processing.
# By crafting an input buffer that will be passed to the TCP
# device
Exploit-DB
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
exploitdb·2015-01-29·CVSS 7.2
CVE-2014-4076 [HIGH] Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
---
"""
KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-001
Publication Date: 2015.01.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: TCP/IP Protocol Driver
Affected Version: 5.2.3790.4573
Platform: Microsoft Windows Server 2003 Service Pack 2
Architecture: x86, x64, Itanium
Impact: Privilege Escalation
Attack vector: IOCTL
CVE-ID: CVE-2014-4076
2. Vulnerability Description
The tcpip.sys driver fails to sufficiently validate memory
objects used during the proces
Metasploit
MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference
metasploit
MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference
MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference
A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM.
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
## Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities ( CVE-2014-6332 , CVE-2014-6352 ) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seei
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerabil
Threat Intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
threat_intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
# Threat Actor Profile: APT28
ATT&CK ID: G0007
Also known as: APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Suspected origin: Russia
## Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-412
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://www.exploit-db.com/exploits/35936http://www.osvdb.org/114532http://www.securityfocus.com/bid/70976https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-070https://www.exploit-db.com/exploits/37755/http://www.exploit-db.com/exploits/35936http://www.osvdb.org/114532http://www.securityfocus.com/bid/70976https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-070https://www.exploit-db.com/exploits/37755/
2014-11-11
Published
Exploited in the wild