cbcvebase.
CVE-2014-6332
published 2014-11-11

CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows…

PriorityP197high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
95.00%
99.9th percentile
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenameshadow.jpg
filenamewindump.exe
filenamemm.dll
path%APPDATA%\vcl.tmp
path%TEMP%\vcl.tmp
filenameIePorxyv.dll
cookieHTTP Cookie field used to transmit encrypted C2 data (Pirpi)
commandrundll32","""""""&strValue&"\mm.dll"""",Setting
bytes
0xDEADBEEF41414141
  • The CVE-2014-6332 SWF exploit shellcode bypasses EMET EAF by calling NtSetContextThread to override debug registers, eliminating EMET's EAF feature. Detect NtSetContextThread calls that modify debug registers from within browser/Flash processes.
  • The exploit shellcode checks for the presence of EMET.dll in the process before choosing its WinExec invocation path. Monitor for EMET.dll presence checks from shellcode-like memory regions.
  • The exploit drops a payload PE disguised as a JPEG ('shadow.jpg') marked with magic bytes 0xDEADBEEF41414141. Scan files with .jpg extension for this magic value as a detection signal.
  • The exploit writes a payload to '%TEMP%\windump.exe' and executes it via WinExec. Alert on windump.exe creation in the user's Temp directory from browser or Office processes.
  • The ROP chain is triggered by overriding a Sound object's vtable and calling toString. Detect vtable overwrites on Sound objects in Flash processes as an exploitation indicator.
  • Pirpi malware uses HTTP GET requests with encrypted data in the Cookie header for C2 communication. Detect anomalous Cookie header content in GET requests to unknown domains from endpoints.
  • The Lotus Blossom exploit payload is loaded via rundll32 with export 'Setting' from mm.dll in %LOCALAPPDATA%. Alert on rundll32 executing DLLs from AppData with the 'Setting' export argument.
  • The exploit shellcode uses a ror-7 hash algorithm on kernel32.dll function names to resolve APIs; the constant 0xC917432 identifies LoadLibraryA. Use this constant in memory scanning or shellcode emulation rules.
  • Pirpi checks for a configuration file at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp. Alert on creation or access of vcl.tmp in these locations as a Pirpi infection indicator.
  • ·The Pirpi payload (IePorxyv.dll) uses a configuration file (vcl.tmp) for C2 domains if present; otherwise it falls back to hardcoded C2 domains encoded inside the binary. Detection based solely on network IOCs may miss cases where vcl.tmp overrides hardcoded values.
  • ·The CVE-2014-6332 SWF exploit's EMET bypass is incomplete — it would still be caught by EMET's stack pivot check on VirtualAlloc, meaning EMET 4.1 with stack pivot protection enabled would block this specific sample.
  • ·The Lotus Blossom attack used a slightly modified version of the publicly available CVE-2014-6332 PoC VBScript; detections based on the exact PoC may miss actor-modified variants that remove comments and add payload extraction logic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.