mirror of
https://github.com/klezVirus/CVE-2021-40444.git
synced 2024-11-24 22:20:47 +00:00
Updated comments on the vulnerability
This commit is contained in:
parent
7d0e32466e
commit
2d64e9c760
1 changed files with 9 additions and 9 deletions
18
README.md
18
README.md
|
@ -43,25 +43,25 @@ the HTML should be at least 4096 bytes in size in order to trigger the "Preview"
|
||||||
|
|
||||||
The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
|
The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
|
||||||
* `filename.inf` should become `../filename.inf`
|
* `filename.inf` should become `../filename.inf`
|
||||||
* `filename.inf` should be exactly `<12-char>.inf`
|
* `filename.inf` ~~should be exactly <12-char>.inf~~ Not really true, the important bit is to modify `coffCabStart`
|
||||||
* `CFFOLDER.typeCompress` should be 0 (not compressed)
|
* `CFFOLDER.typeCompress` ~~should be 0 (not compressed)~~
|
||||||
* `CFFOLDER.coffCabStart` should be increased by 3
|
* `CFFOLDER.coffCabStart` should be increased by 3 (due to the added '../'')
|
||||||
* `CFFOLDER.cCfData` should be 2
|
* `CFFOLDER.cCfData` ~~should be 2~~
|
||||||
* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet`
|
* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet`
|
||||||
* `CFDATA.csum` should be recalculated (or zeroed out)
|
* `CFDATA.csum` ~~should be recalculated (or zeroed out)~~ [OPTIONAL]
|
||||||
|
|
||||||
The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but
|
The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but
|
||||||
let's see the most important:
|
let's see the most important:
|
||||||
|
|
||||||
* **TypeCompress**: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail
|
* **TypeCompress**: ~~If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail~~ False, I managed to achieve the same result with a MSZIP compressed sample
|
||||||
* **CoffCabStart**: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../',
|
* **CoffCabStart**: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../',
|
||||||
we would need to increase this by 3 to point to the file (this is more like a guess)
|
we would need to increase this by 3 to point to the file (this is more like a guess)
|
||||||
* **cCfData**: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2
|
* **cCfData**: ~~As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2~~ Indeed, we can leave it as 1
|
||||||
* **cbFile**: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion
|
* **cbFile**: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion
|
||||||
by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the
|
by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the
|
||||||
cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading
|
cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading
|
||||||
all the bytes defined in cbFile, raising an extraction error.
|
all the bytes defined in cbFile, raising an extraction error.
|
||||||
* Last but not least, the **csum** value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean)
|
* [OPTIONAL] This value seems to not be checked by MS Word. Anyway, to have a correct CAB, the **csum** value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean)
|
||||||
and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf),
|
and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf),
|
||||||
this value can be 0
|
this value can be 0
|
||||||
|
|
||||||
|
@ -83,7 +83,7 @@ script.
|
||||||
As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and
|
As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and
|
||||||
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.
|
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.
|
||||||
|
|
||||||
Indeed, irtshould be noted that the method used in the exploit to download files is based on ActiveX control updates,
|
Indeed, it should be noted that the method used in the exploit to download files is based on ActiveX control updates,
|
||||||
and cannot be used to download arbitrary files.
|
and cannot be used to download arbitrary files.
|
||||||
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
|
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
|
||||||
can point just to a few filetypes: OCX, INF and CAB.
|
can point just to a few filetypes: OCX, INF and CAB.
|
||||||
|
|
Loading…
Reference in a new issue