Microsoft Internet Explorer CTraversalMarkupPointer Use-After-Free Remote Code Execution Vulnerability
2014-03-20T00:00:00
ID ZDI-14-030 Type zdi Reporter lokihardt@ASRT Modified 2014-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of CTraversalMarkupPointer objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.
{"enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "edition": 2, "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-030", "modified": "2014-11-09T00:00:00", "published": "2014-03-20T00:00:00", "history": [{"differentElements": ["modified"], "edition": 1, "lastseen": "2016-09-04T11:33:47", "bulletin": {"published": "2014-03-20T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-030", "modified": "2014-09-04T00:00:00", "edition": 1, "history": [], "bulletinFamily": "info", "viewCount": 0, "objectVersion": "1.2", "hash": "fba67eb27f35b718857f9a94f48462d94f2d5bc2fcd61c921bc8396db74d1e6c", "title": " Microsoft Internet Explorer CTraversalMarkupPointer Use-After-Free Remote Code Execution Vulnerability", "references": ["https://technet.microsoft.com/en-us/security/bulletin/MS14-012"], "cvelist": ["CVE-2014-0297"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of CTraversalMarkupPointer objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.", "type": "zdi", "id": "ZDI-14-030", "lastseen": "2016-09-04T11:33:47", "reporter": "lokihardt@ASRT", "hashmap": [{"hash": "8e73766bfcb6907954a73aee752d451c", "key": "cvelist"}, {"hash": "0134fe69dea3f5ef944877e85fc04a11", "key": "published"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "bdc2727f1a4e5a7f7e596505fe5080b5", "key": "href"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9744f7523609b20d5b80ddb4ee08965b", "key": "description"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "40f301cf5bf06cd9fd6bec4010cfd3bd", "key": "title"}, {"hash": "835a9175efab917a0b22aa38fc885338", "key": "reporter"}, {"hash": "5be4bf0fee0b07c96c57ceef8efcf4a9", "key": "references"}, {"hash": "9a10e9ed12ba0880a3e4c132dbded84d", "key": "modified"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}}], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of CTraversalMarkupPointer objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.", "bulletinFamily": "info", "viewCount": 0, "objectVersion": "1.2", "hash": "6e4b4acd8f68ef4297c1486d5c42673eeb7a9c9d22fde55af8f25bcc2121016a", "title": " Microsoft Internet Explorer CTraversalMarkupPointer Use-After-Free Remote Code Execution Vulnerability", "references": ["https://technet.microsoft.com/en-us/security/bulletin/MS14-012"], "cvelist": ["CVE-2014-0297"], "type": "zdi", "id": "ZDI-14-030", "lastseen": "2016-11-09T00:17:58", "reporter": "lokihardt@ASRT", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "8e73766bfcb6907954a73aee752d451c", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9744f7523609b20d5b80ddb4ee08965b", "key": "description"}, {"hash": "bdc2727f1a4e5a7f7e596505fe5080b5", "key": "href"}, {"hash": "0e8f4f13c11de32dac689cf2a0ab4284", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "0134fe69dea3f5ef944877e85fc04a11", "key": "published"}, {"hash": "5be4bf0fee0b07c96c57ceef8efcf4a9", "key": "references"}, {"hash": "835a9175efab917a0b22aa38fc885338", "key": "reporter"}, {"hash": "40f301cf5bf06cd9fd6bec4010cfd3bd", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}
{"cve": [{"lastseen": "2018-10-13T11:06:28", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012"], "description": "Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Internet Explorer Memory Corruption Vulnerability,\" a different vulnerability than CVE-2014-0308, CVE-2014-0312, and CVE-2014-0324.", "edition": 2, "reporter": "NVD", "published": "2014-03-12T01:15:19", "title": "CVE-2014-0297", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-0297"], "scanner": [], "modified": "2018-10-12T18:05:49", "cpe": ["cpe:/a:microsoft:internet_explorer:11:-", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2014-0297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0297", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-13T06:16:54", "references": [], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a memory-corruption vulnerability due to a use-after-free condition. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 \n * Avaya Aura Conferencing 7.0 \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "reporter": "Symantec Security Response", "published": "2014-03-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "symantec", "title": "Microsoft Internet Explorer CVE-2014-0297 Memory Corruption Vulnerability", "bulletinFamily": "software", "affectedSoftware": [{"name": "Microsoft Internet Explorer", "version": "11 ", "operator": "eq"}, {"name": "Avaya Communication Server", "version": "1000 Telephony Manager 4.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Communication Server", "version": "1000 Telephony Manager 3.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya CallPilot", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Aura Conferencing", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya Aura Conferencing", "version": "7.0 ", "operator": "eq"}, {"name": "Avaya Communication Server", "version": "1000 Telephony Manager 4.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Recording Server", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "5.2.1 ", "operator": "eq"}, {"name": "Avaya CallPilot", "version": "4.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "5.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "6.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "5.2.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "6.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya Messaging Application Server", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Messaging Application Server", "version": "5.2.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya CallPilot", "version": "4.0 ", "operator": "eq"}, {"name": "Microsoft Internet Explorer", "version": "9 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Communication Server", "version": "1000 Telephony Manager 3.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "5.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Recording Server", "version": "5.2.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "6.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "5.2 ", "operator": "eq"}, {"name": "Microsoft Internet Explorer", "version": "8 ", "operator": "eq"}, {"name": "Avaya CallPilot", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Recording Server", "version": "6.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "5.2.1 ", "operator": "eq"}, {"name": "Microsoft Internet Explorer", "version": "10 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "5.2.1 ", "operator": "eq"}, {"name": "Avaya Messaging Application Server", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Webportal", "version": "6.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "5.0 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Streaming Server", "version": "5.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Client Registration Server", "version": "6.2 ", "operator": "eq"}, {"name": "Avaya Meeting Exchange - Web Conferencing Server", "version": "5.0.1 ", "operator": "eq"}, {"name": "Avaya Messaging Application Server", "version": "5.2 ", "operator": "eq"}], "cvelist": ["CVE-2014-0297"], "modified": "2014-03-11T00:00:00", "id": "SMNTC-66023", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/66023", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:30:46", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "BUGTRAQ ID: 66023\r\nCVE(CAN) ID: CVE-2014-0297\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c"MSHTML Shim Workaround"\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "reporter": "Root", "published": "2014-03-12T00:00:00", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0297)", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0297", "CVE-2014-0322"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61751", "id": "SSV:61751", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "", "status": "cve,details"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "references": [], "description": "Multiple memory corruptions.", "edition": 1, "reporter": "MICROSOFT", "published": "2014-03-18T00:00:00", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:54", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Windows", "version": "7", "operator": "eq"}, {"name": "Windows", "version": "8.1", "operator": "eq"}, {"name": "Windows", "version": "8", "operator": "eq"}], "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "modified": "2014-03-18T00:00:00", "id": "SECURITYVULNS:VULN:13605", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13605", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-11-17T03:10:20", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-14-031/", "https://www.zerodayinitiative.com/advisories/ZDI-14-032/", "https://www.zerodayinitiative.com/advisories/ZDI-14-033/", "https://www.zerodayinitiative.com/advisories/ZDI-14-034/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012", "https://www.zerodayinitiative.com/advisories/ZDI-14-030/", "https://www.zerodayinitiative.com/advisories/ZDI-14-035/", "https://www.zerodayinitiative.com/advisories/ZDI-14-036/"], "pluginID": "72930", "description": "The remote host is missing Internet Explorer (IE) Security Update 2925418.\n\nThe installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability.", "edition": 8, "reporter": "Tenable", "published": "2014-03-11T00:00:00", "title": "MS14-012: Cumulative Security Update for Internet Explorer (2925418)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-4112", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS14-012.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72930", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72930);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2014-0297\",\n \"CVE-2014-0298\",\n \"CVE-2014-0299\",\n \"CVE-2014-0302\",\n \"CVE-2014-0303\",\n \"CVE-2014-0304\",\n \"CVE-2014-0305\",\n \"CVE-2014-0306\",\n \"CVE-2014-0307\",\n \"CVE-2014-0308\",\n \"CVE-2014-0309\",\n \"CVE-2014-0311\",\n \"CVE-2014-0312\",\n \"CVE-2014-0313\",\n \"CVE-2014-0314\",\n \"CVE-2014-0321\",\n \"CVE-2014-0322\",\n \"CVE-2014-0324\",\n \"CVE-2014-4112\"\n );\n script_bugtraq_id(\n 65551,\n 66023,\n 66025,\n 66026,\n 66027,\n 66028,\n 66029,\n 66030,\n 66031,\n 66032,\n 66033,\n 66034,\n 66035,\n 66036,\n 66037,\n 66038,\n 66039,\n 66040,\n 70266\n );\n script_xref(name:\"CERT\", value:\"732479\");\n script_xref(name:\"EDB-ID\", value:\"32851\");\n script_xref(name:\"EDB-ID\", value:\"32438\");\n script_xref(name:\"EDB-ID\", value:\"32904\");\n script_xref(name:\"MSFT\", value:\"MS14-012\");\n script_xref(name:\"MSKB\", value:\"2925418\");\n\n script_name(english:\"MS14-012: Cumulative Security Update for Internet Explorer (2925418)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser that is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2925418.\n\nThe installed version of IE is affected by multiple privilege\nescalation and memory corruption vulnerabilities that could allow an\nattacker to execute arbitrary code on the remote host. Additionally,\nthe installed version of IE is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-030/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-031/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-032/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-033/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-034/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-035/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-036/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2, 8, 2012, 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-012';\nkb = '2925418';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / 2012 R2\n #\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # Windows 8 / 2012\n #\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / 2008 R2\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22597\", min_version:\"8.0.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18392\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.6001.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19507\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.23330\", min_version:\"7.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.19041\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5294\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6512\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:40:51", "references": ["https://technet.microsoft.com/en-us/security/bulletin/MS14-012", "https://technet.microsoft.com/en-us/security/bulletin/ms14-012", "http://secunia.com/advisories/56974", "https://support.microsoft.com/kb/2925418"], "pluginID": "1361412562310804500", "description": "This host is missing a critical security update according to Microsoft\nBulletin MS14-012.", "edition": 8, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-18T00:00:00", "title": "Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0307", "CVE-2014-0313", "CVE-2014-0303", "CVE-2014-0322", "CVE-2014-0305", "CVE-2014-0299", "CVE-2014-0314", "CVE-2014-0306", "CVE-2014-0297", "CVE-2014-0321", "CVE-2014-0311", "CVE-2014-0304", "CVE-2014-0312", "CVE-2014-0298", "CVE-2014-0324", "CVE-2014-0308", "CVE-2014-0302", "CVE-2014-0309"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310804500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804500", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_microsoft_ie_cmarkup_use_after_free_vuln.nasl 11878 2018-10-12 12:40:08Z cfischer $\n#\n# Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804500\");\n script_version(\"$Revision: 11878 $\");\n script_cve_id(\"CVE-2014-0297\", \"CVE-2014-0298\", \"CVE-2014-0299\", \"CVE-2014-0302\",\n \"CVE-2014-0303\", \"CVE-2014-0304\", \"CVE-2014-0305\", \"CVE-2014-0306\",\n \"CVE-2014-0307\", \"CVE-2014-0308\", \"CVE-2014-0309\", \"CVE-2014-0311\",\n \"CVE-2014-0312\", \"CVE-2014-0313\", \"CVE-2014-0314\", \"CVE-2014-0321\",\n \"CVE-2014-0322\", \"CVE-2014-0324\");\n script_bugtraq_id(66023, 66025, 66026, 66027, 66028, 66029, 66030, 66031, 66032,\n 66033, 66034, 66035, 66036, 66037, 66038, 66039, 65551, 66040);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 14:40:08 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-18 16:40:06 +0530 (Tue, 18 Feb 2014)\");\n script_name(\"Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\");\n\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to Microsoft\nBulletin MS14-012.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to, error when handling CMarkup objects and multiple\nunspecified errors.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code,\ncorrupt memory and compromise a user's system.\");\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x/10.x/11.x\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed hotfixes or download and\ninstall the hotfixes from the referenced advisory.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56974\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2925418\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/MS14-012\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms14-012\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:2, win2008:3, win8:1, win8_1:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || !(ieVer =~ \"^(6|7|8|9|10|11)\")){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6512\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5294\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.19040\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.23329\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19506\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23568\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18391\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22596\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")||\n version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8_1:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
