Vulnerability Details : CVE-2014-0257

Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability."

Vulnerability category: Input validationExecute code

Published 2014-02-12 04:50:40

Updated 2018-10-12 22:05:29

Source Microsoft Corporation

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2014-0257

Probability of exploitation activity in the next 30 days: 59.80%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2014-0257

MS14-009 .NET Deployment Service IE Sandbox Escape

Disclosure Date : 2014-02-11

exploit/windows/local/ms14_009_ie_dfsvc

This module abuses a process creation policy in Internet Explorer's sandbox, specifically in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the Enhanced Protected Mode, and execute code with Medium Integrity. Authors: - James Forshaw - juan vazquez <[email protected]>

More information

CVSS scores for CVE-2014-0257

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-0257

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: [email protected] (Primary)

References for CVE-2014-0257

Products affected by CVE-2014-0257

Microsoft » .net Framework » Version: 1.1 Update SP1
cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 1.0 Update SP3
cpe:2.3:a:microsoft:.net_framework:1.0:sp3:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 2.0 Update SP2
cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 3.5
cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 3.5.1
cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 4.0
cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 4.5
cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*
Matching versions
Microsoft » .net Framework » Version: 4.5.1
cpe:2.3:a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*
Matching versions