cbcvebase.
CVE-2014-4148
published 2014-10-15

CVE-2014-4148: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
50.70%
98.8th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka "TrueType Font Parsing Remote Code Execution Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
qemuqemu>= 0 < 2.0.0+dfsg-2ubuntu1.32.0.0+dfsg-2ubuntu1.3

Detection & IOCsextracted from sources · hover to see the quote

hash683afdef710bf3c96d42e6d9e7275130
hash79e263f78e69110c09642bbb30f09ace
filenamehdmsvc.exe
filenamewinlib.dll
  • Black Lambert (CVE-2014-4148 payload) contains internal config markers: toolType=wl, build=132914, versionName=2.0.0 — scan memory/config blobs for these strings to identify Black Lambert implants.
  • White Lambert (second-stage tool linked to CVE-2014-4148 campaign) runs in kernel mode and sniffs network traffic for specially crafted packets; detection should focus on unsigned kernel-mode drivers and exploitation of the SiSoftware Sandra signed driver.
  • The CVE-2014-4148 exploit is delivered via a crafted TrueType Font (TTF) file; monitor win32k.sys for anomalous TTF parsing activity and alert on kernel-mode driver crashes or unexpected code execution originating from font processing.
  • ·Only one Black Lambert sample is publicly known; the two hashes (loader hdmsvc.exe and payload winlib.dll) represent the complete known sample set for this CVE's direct payload.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv7.5HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.