From 37e282beb996b9deb2c33e6933dade9fd78b6ba3 Mon Sep 17 00:00:00 2001 From: d3adc0de Date: Thu, 16 Sep 2021 07:43:01 +0100 Subject: [PATCH] Updated README --- README.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 4f16404..5e46a7c 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ So far, the only valuable resources I've seen to create a fully working generato * [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/) * [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466) -The above resources outline a lot of the requirements needed to create a full chain. As I do not desire +The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much +unnecessary information, I'll just summarize the relevant details. ### Exploit Chain 1. Docx opened @@ -36,33 +37,35 @@ so it should not cause a lot of troubles to release the details. #### CAB File The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip: -* filename.inf should become ../filename.inf -* filename.inf should be exactly <12-char>.inf -* CFFOLDER.TypeCompress should be 0 (not compressed) -* CFFOLDER.CoffCabStart should be increased by 3 -* CFFOLDER.cCfData: should be 2 -* CFFile.CbFile should be greater than the whole CFHeader CbCabinet -* CFDATA.csum should be recalculated (or zeroed out) +* `filename.inf` should become `../filename.inf` +* `filename.inf` should be exactly `<12-char>.inf` +* `CFFOLDER.typeCompress` should be 0 (not compressed) +* `CFFOLDER.coffCabStart` should be increased by 3 +* `CFFOLDER.cCfData` should be 2 +* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet` +* `CFDATA.csum` should be recalculated (or zeroed out) The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but let's see the most important: -* TypeCompress: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail -* CoffCabStart: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../', +* **TypeCompress**: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail +* **CoffCabStart**: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../', we would need to increase this by 3 to point to the file (this is more like a guess) -* cCfData: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2 -* cbFile: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion +* **cCfData**: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2 +* **cbFile**: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading all the bytes defined in cbFile, raising an extraction error. -* Last but not least, the csum value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean) +* Last but not least, the **csum** value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean) and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf), this value can be 0 -NOTE: Defender now detects the CAB file using the `_IMAGE_DOS_HEADER.e_magic` value as a signature, potentially avoiding +**NOTE1**: Defender now detects the CAB file using the `_IMAGE_DOS_HEADER.e_magic` value as a signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed? As observed before, this is a patched vulnerability, so I'm not planning to release anything more complex than this. Up to the curious reader to develop this further. +**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition) + # CAB file parser The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full