Vulnerability Details : CVE-2014-0257
Public exploit exists!
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability."
Vulnerability category: Input validationExecute code
Threat overview for CVE-2014-0257
Top countries where our scanners detected CVE-2014-0257
Top open port discovered on systems with this issue
443
IPs affected by CVE-2014-0257 66,237
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-0257!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-0257
Probability of exploitation activity in the next 30 days: 71.40%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 98 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2014-0257
-
MS14-009 .NET Deployment Service IE Sandbox Escape
Disclosure Date: 2014-02-11First seen: 2020-04-26exploit/windows/local/ms14_009_ie_dfsvcThis module abuses a process creation policy in Internet Explorer's sandbox, specifically in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the Enhanced Protected Mode, and execute code with Medium Integrity. Authors: - James Fo
CVSS scores for CVE-2014-0257
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2014-0257
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0257
-
http://packetstormsecurity.com/files/127246/MS14-009-.NET-Deployment-Service-IE-Sandbox-Escape.html
MS14-009 .NET Deployment Service IE Sandbox Escape ≈ Packet Storm
-
http://www.securitytracker.com/id/1029745
Microsoft .NET Bugs Lets Remote Users Execute Arbitrary Code and Deny Service - SecurityTracker
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-009
Microsoft Security Bulletin MS14-009 - Important | Microsoft Docs
-
http://secunia.com/advisories/56793
Sign in
-
http://www.securityfocus.com/bid/65417
Microsoft .NET Framework CVE-2014-0257 Remote Privilege Escalation Vulnerability
-
http://www.osvdb.org/103163
404 Not Found
-
http://www.exploit-db.com/exploits/33892
Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit) - Windows local Exploit
Products affected by CVE-2014-0257
- cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:1.0:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*