9.3
CVSSv2

CVE-2014-0322

Published: 14/02/2014 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 984
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote malicious users to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftInternet Explorer9, 10

Exploits

<!-- MS14-012 Internet Explorer CMarkup Use-After-Free Vendor Homepage: wwwmicrosoftcom Version: IE 10 Date: 2014-03-31 Exploit Author: Jean-Jamil Khalife Tested on: Windows 7 SP1 x64 (fr, en) Flash versions tested: Adobe Flash Player (120070, 120077) Home: wwwhdwsecfr Blog : wwwhdwsecfr/blog/ MS14-012 ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' ...

Mailing Lists

Microsoft Internet Explorer CMarkup use-after-free exploit that demonstrates the issue documented in MS14-012 ...
This Metasploit module exploits an use after free condition on Internet Explorer as used in the wild on the "Operation SnowMan" in February 2014 The module uses Flash Player 12 in order to bypass ASLR and finally DEP ...

Metasploit Modules

MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free

This module exploits an use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP.

msf > use exploit/windows/browser/ms14_012_cmarkup_uaf
      msf exploit(ms14_012_cmarkup_uaf) > show targets
            ...targets...
      msf exploit(ms14_012_cmarkup_uaf) > set TARGET <target-id>
      msf exploit(ms14_012_cmarkup_uaf) > show options
            ...show and set options...
      msf exploit(ms14_012_cmarkup_uaf) > exploit

Github Repositories

odoyle-rules #Infinity EK malwaredontneedcoffeecom/2014/03/cve-2014-0322-integrating-exploit-kitshtml blogspiderlabscom/2014/05/exploit-kit-roundup-best-of-obfuscation-techniqueshtml ##CVE-2014-0322 wwwsymanteccom/connect/blogs/emerging-threat-ms-ie-10-zero-day-cve-2014-0322-use-after-free-remote-code-execution-vulnerabi #Magnitude EK blogsp

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

PrimGen In many cases, the given input which triggers a vulnerability and crashes a process does not enter an exploitable state In our paper we discuss on what we can automate in a scalable fashion How challenging can it be than tackling the problem for browsers? This repository contains data we presented in our paper: wwwsyssecruhr-uni-bochumde/research/publicatio

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

Vulnerability Analysis And Exploit 浏览器及插件漏洞调试 Browser 调试速查 [IE][CVE-2018-8174分析] UAF [IE][CVE-2014-6332分析] 整数溢出 [IE][CVE-2016-0189分析] UAF [IE][CVE-2014-0322分析] UAF [Chrome][CVE-2016-5197分析] OOB [Chrome][CVE-2017-5070分析] Type Confustion Tutorials Learning V8 Learning V8 Windows Exploit Development [20190228][Part0: H

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

Exploit Development: Case Studies This repository is intended as a personal list of exploit development case studies I stumble upon during my work My categorization is not very granular — I'm skipping differentiation between user-mode and kernel-mode, as well as type of the software being exploited Exploit primitives are what's really important, therefore the

MicroSoft Office RCEs A collection of MicroSoft Office vulnerabilities that could end up remote command execution CVE-2012-0158 CVE-2015-1641(customXML type confusion) CVE-2016-7193(dfrxst) CVE-2017-0199 CVE-2017-8570 CVE-2017-8759(NET Framework) CVE-2017-11182 CVE-2017-11826(EQNEDT32EXE) CVE-2018-0802(EQNEDT32EXE again) CVE-2018-0797(RTF UAF) CVE-2018-8597(Excel) CVE-2018

██╗ ██╗███████╗██╗ ██████╗ ███████╗██╗ ██╗██╗ ██║ ██║██╔════╝██║ ██╔══██╗██╔════╝██║ ██║██║ ███████║█████╗ ██║ ██████╔╝████

Recent Articles

Chinese web giant finds Windows zero-day, stays schtum on specifics
The Register • Richard Chirgwin • 23 Apr 2018

Quihoo 360 plays the responsible disclosure game

Chinese company Quihoo 360 says it's found a Windows zero-day in the wild, but because it's notified Microsoft, it's not telling anyone else how it works.
In this Weibo post (unless you speak Mandarin you'll need a translation tool), the company announced an “APT attack” on the unspecified zero-day “on a global scale”.
It called the vulnerability a “double kill” bug, said it exploits “the latest version of Internet Explorer and applications that use the IE kernel”, an...

US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks
BleepingComputer • Catalin Cimpanu • 26 Aug 2017

The FBI has arrested a Chinese national on accusations of distributing and infecting US companies with the Sakula malware, the same malware used in the OPM and Anthem hacks.
The suspect's name is Yu Pingan, 26, of Shanghai. US authorities arrested Yu on Monday, August 21, at the Los Angeles airport, as the suspect entered the US to attend a security conference.
According to an official indictment, authorities accused Yu and two other unnamed co-conspirators of infecting four US compa...

Researchers say Anthem health hack has Beijing's fingerprints
The Register • Darren Pauli • 29 Jul 2015

'Black Vine' gang, late of China, fingered as source of heist that lifted 70 million records

The case for a Beijing-orchestrated hack of health insurer Anthem has firmed up with new details suggesting that the sophisticated hacking group responsible for the heist shared zero days with rival outfits.
Symantec has overnight dubbed the perps "Black Vine", suggesting the group was responsible for goring more than 70 million personal records from the US company in February.
The security firm paints the group as ultra-sophisticated and unusually keen to share its precious trove of...

APT Group Exploiting Hacking Team Flash Zero Day
Threatpost • Michael Mimoso • 09 Jul 2015

The Wekby APT group, implicated in a number of targeted attacks against health care organizations such as Community Health Systems and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the Hacking Team data dump.
According to Virginia-based security company Volexity, spear phishing messages purporting to be from Adobe have been found spreading a modified version of the Hacking Team exploit that affects Flash Player versions up to 18.0.0.19...

Hacking Team Flash Zero Day Weaponized in Exploit Kits
Threatpost • Michael Mimoso • 08 Jul 2015

Handlers for three major exploit kits have managed to utilize in short order a zero-day vulnerability in Adobe Flash Player uncovered among the 400 Gb of data stolen from Hacking Team.
Experts, including French researcher Kafeine and a number of others from security companies, revealed last night that the Angler, Neutrino, and Nuclear kits had incorporated exploits for the zero day, which Adobe has patched.
The Hacking Team breach was disclosed on Sunday and by Monday afternoon, wor...

Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites
welivesecurity • ESET Research • 16 Jul 2014

This blog post will explore a malware family named Win32/Aibatook, which targets Japanese users’ banking information and hosting providers’ account credentials. It appeared at the end of 2013 and a previous version has already been documented by Symantec, which has even sinkholed some of Win32/Aibatook’s C&C servers. Far from being discouraged, the operators have since published an updated version and moved from Delphi to C++ as their programming language. This post will focus on this ...

Critical Internet Explorer zero-day vulnerability patched by Microsoft
welivesecurity • Graham Cluley • 12 Mar 2014

For this month’s Patch Tuesday, Microsoft has released five bulletins, tackling a total of 23 different security holes in Microsoft Windows, Internet Explorer and Silverlight.
The most important security update is undoubtedly the one for Internet Explorer, applicable for virtually all versions of the browser, which includes a fix for a zero-day vulnerability (CVE-2014-0322) that has already been exploited by hackers in targeted attacks against some organisations.
Last month, Micros...

Hackers Milk IE Zero Day Before Patch
Threatpost • Brian Donohue • 11 Mar 2014

Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.
According to a Websense report, the exploit source code deployed in at least two incidents – one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars – appears to have been made public. This publication and the subsequent addition o...

Fiendish Internet Explorer 10 zero-day targets US soldiers
The Register • John Leyden • 14 Feb 2014

Malware blizzard timed to coincide with snowstorms

Cyberspies have used an unpatched vulnerability in Internet Explorer 10 in an exploit which appears to target US military personnel.
Among three high-priority updates in the most recent Patch Tuesday (11 February) was a cumulative fix for Explorer which addressed a whopping two dozen different memory corruption vulnerabilities in the web browser.
However that very same day, net security firm FireEye identified a zero-day IE exploit (CVE-2014-0322) being served up from the US Veteran...

New IE 10 Zero Day Targeting Military Intelligence
Threatpost • Chris Brook • 14 Feb 2014

Attackers were able to compromise the U.S. Veterans of Foreign Wars’ website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.
According to researchers at FireEye, the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carr...