r3pek/CVE-2021-40444
1
0
Fork 0
mirror of https://github.com/klezVirus/CVE-2021-40444.git synced 2025-07-03 07:11:12 +01:00
Code Releases Activity

Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes

Browse source
This commit is contained in:
d3adc0de 2021-09-24 17:43:18 +01:00
parent 31415dbf4e
commit a0d1b8d4c4
27 changed files with 1376 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

97
README.md
View file

@ -34,6 +34,11 @@ There are quite a bit of overlooked requirements for this exploit to work, which
Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched,
so it should not cause a lot of troubles to release the details.
#### HTML File
As for this [tweet](https://twitter.com/wdormann/status/1440036541112328199) by [Will Dormann](https://twitter.com/wdormann),
the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word.
#### CAB File
The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
@ -67,6 +72,62 @@ on this. Up to the curious reader to develop this further.
**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)
# DLL Attack
The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the `.cpl` URI scheme. In order to
exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my [evildll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011)
script.
# JScript, VBScript, Javaw, MSIexec, ...
As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.
Indeed, irtshould be noted that the method used in the exploit to download files is based on ActiveX control updates,
and cannot be used to download arbitrary files.
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
can point just to a few filetypes: OCX, INF and CAB.
Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location
within the system. With the cab exploit, it is possible to move the `.inf` file in a well-known path using the path traversal,
but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.
As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.
Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.
# Cab-less file attack using hybrid RAR file
This technique was firstly disclosed by [Eduardo Braun](https://twitter.com/Edu_Braun_0day) on Twitter and further explained in [this](https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf) paper.
Please note that using this technique, the attack chain is a bit different. This attack requires the user to download
a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain
a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.
To summarise:
1. Specially crafted RAR file is downloaded (likely Download folder)
2. DOCX extracted and opened
3. Relationship stored in document.xml.rels points to malicious html
4. IE preview is launched to open the HTML link
5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme
6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed
# What are the exploits PoC implemented by the tool
The generator utility can currently reproduce the following attacks:
| Attack | HTML Templates | Target | Delivery Method | Execution Method | Working |
|-------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
| Original version of the attack | cab-orig-* | WORD | DOCX | CAB + DLL | YES |
| j00sean IE-only attack | cab-orig-j00san | IE | HTML | CAB + DLL | YES |
| My version without DLL | cab-uri-* | WORD | DOCX | CAB + JS/VBS | NO<sup>1</sup> |
| Eduardo B. "CABless" attack using RAR | cabless-rar-* | WORD | RAR | WSF | YES |
| Modified j00sean attack + HTML smuggling | cabless-smuggling-* | IE | HTML | JS/VBS | YES<sup>2</sup> |
_<sup>1</sup>The CAB is not downloaded properly in some environments_
_<sup>2</sup>The user needs to click on "Save" to download the file on IE_
# CAB file parser
The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
@ -97,10 +158,12 @@ pip install -r requirements
# Usage
The generator is trivial to use, and has been tested with a number of different DLL payloads.
The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows
versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as
I have more details to share, I'll post them here.
```
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-p LPORT] [-c COPY_TO]
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]
[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
@ -112,14 +175,38 @@ optional arguments:
-o OUTPUT, --output OUTPUT
Output files basename (no extension)
--host If set, will host the payload after creation
-p LPORT, --lport LPORT
Port to use when hosting malicious payload
-c COPY_TO, --copy-to COPY_TO
Copy payload to an alternate path
-nc, --no-cab Use the CAB-less version of the exploit
-t, --test Open IExplorer to test the final HTML file
```
# Example
* Generate the original exploit and test it locally
```
python generator.py -u http://127.0.0.1 -P test\calc.dll --host
```
_Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension_
* Generate the CABless exploit with RAR and test it locally via IE
```
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t
```
* Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE
```
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
```
# Credits
* [RET2_pwn](https://twitter.com/RET2_pwn) for the amazing blog
* [j00sean](https://twitter.com/j00sean) for the good hints
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
* [Max_Mal](https://twitter.com/Max_Mal) for the hint on the alternate URI schemes
* [wdormann](https://twitter.com/wdormann) for the hint on the HTML file size restrictions
* [Edu_Braun_0day](https://twitter.com/Edu_Braun_0day) for the cool CAB-less version of the exploit