You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
213 lines
11 KiB
213 lines
11 KiB
# Fully Weaponized CVE-2021-40444
|
|
|
|
Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.
|
|
|
|
# Background
|
|
|
|
Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability,
|
|
as what I found available lacked valuable information that it's worth sharing, also considering Microsoft already
|
|
released a patch for this vulnerability.
|
|
|
|
So far, the only valuable resources I've seen to create a fully working generator are:
|
|
* [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/)
|
|
* [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466)
|
|
|
|
The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much
|
|
unnecessary information, I'll just summarize the relevant details.
|
|
|
|
### Exploit Chain
|
|
1. Docx opened
|
|
2. Relationship stored in document.xml.rels points to malicious html
|
|
3. IE preview is launched to open the HTML link
|
|
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
|
|
prefixed with the ".cpl:" directive
|
|
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
|
|
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
|
|
7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32
|
|
(if this is a DLL)
|
|
|
|
### Overlooked Requirements
|
|
|
|
There are quite a bit of overlooked requirements for this exploit to work, which caused even good PoCs, like
|
|
[the one by lockedbyte](https://github.com/lockedbyte/CVE-2021-40444), to fail working properly.
|
|
|
|
Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched,
|
|
so it should not cause a lot of troubles to release the details.
|
|
|
|
#### HTML File
|
|
|
|
As for this [tweet](https://twitter.com/wdormann/status/1440036541112328199) by [Will Dormann](https://twitter.com/wdormann),
|
|
the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word.
|
|
|
|
#### CAB File
|
|
|
|
The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
|
|
* `filename.inf` should become `../filename.inf`
|
|
* `filename.inf` ~~should be exactly <12-char>.inf~~ Not really true, the important bit is to modify `coffCabStart`
|
|
* `CFFOLDER.typeCompress` ~~should be 0 (not compressed)~~
|
|
* `CFFOLDER.coffCabStart` should be increased by 3 (due to the added '../'')
|
|
* `CFFOLDER.cCfData` ~~should be 2~~
|
|
* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet`
|
|
* `CFDATA.csum` ~~should be recalculated (or zeroed out)~~ [OPTIONAL]
|
|
|
|
The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but
|
|
let's see the most important:
|
|
|
|
* **TypeCompress**: ~~If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail~~ False, I managed to achieve the same result with a MSZIP compressed sample
|
|
* **CoffCabStart**: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../',
|
|
we would need to increase this by 3 to point to the file (this is more like a guess)
|
|
* **cCfData**: ~~As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2~~ Indeed, we can leave it as 1
|
|
* **cbFile**: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion
|
|
by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the
|
|
cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading
|
|
all the bytes defined in cbFile, raising an extraction error.
|
|
* [OPTIONAL] This value seems to not be checked by MS Word. Anyway, to have a correct CAB, the **csum** value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean)
|
|
and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf),
|
|
this value can be 0
|
|
|
|
**NOTE1**: Defender now detects if the CAB file contains a PE by using the `_IMAGE_DOS_HEADER.e_magic` value as a
|
|
signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed?
|
|
I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time
|
|
on this. Up to the curious reader to develop this further.
|
|
|
|
**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)
|
|
|
|
# DLL Attack
|
|
|
|
The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the `.cpl` URI scheme. In order to
|
|
exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my [evildll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011)
|
|
script.
|
|
|
|
# JScript, VBScript, Javaw, MSIexec, ...
|
|
|
|
As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and
|
|
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.
|
|
|
|
Indeed, it should be noted that the method used in the exploit to download files is based on ActiveX control updates,
|
|
and cannot be used to download arbitrary files.
|
|
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
|
|
can point just to a few filetypes: OCX, INF and CAB.
|
|
|
|
Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location
|
|
within the system. With the cab exploit, it is possible to move the `.inf` file in a well-known path using the path traversal,
|
|
but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.
|
|
|
|
As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.
|
|
|
|
Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.
|
|
|
|
# Cab-less file attack using hybrid RAR file
|
|
|
|
This technique was firstly disclosed by [Eduardo Braun](https://twitter.com/Edu_Braun_0day) on Twitter and further explained in [this](https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf) paper.
|
|
|
|
Please note that using this technique, the attack chain is a bit different. This attack requires the user to download
|
|
a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain
|
|
a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.
|
|
|
|
To summarise:
|
|
|
|
1. Specially crafted RAR file is downloaded (likely Download folder)
|
|
2. DOCX extracted and opened
|
|
3. Relationship stored in document.xml.rels points to malicious html
|
|
4. IE preview is launched to open the HTML link
|
|
5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme
|
|
6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed
|
|
|
|
# What are the exploits PoC implemented by the tool
|
|
|
|
The generator utility can currently reproduce the following attacks:
|
|
|
|
| Attack | HTML Templates | Target | Delivery Method | Execution Method | Working |
|
|
|-------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
|
|
| Original version of the attack | cab-orig-* | WORD | DOCX | CAB + DLL | YES |
|
|
| j00sean IE-only attack | cab-orig-j00san | IE | HTML | CAB + DLL | YES |
|
|
| My version without DLL | cab-uri-* | WORD | DOCX | CAB + JS/VBS | NO<sup>1</sup> |
|
|
| Eduardo B. "CABless" attack using RAR | cabless-rar-* | WORD | RAR | WSF | YES |
|
|
| Modified j00sean attack + HTML smuggling | cabless-smuggling-* | IE | HTML | JS/VBS | YES<sup>2</sup> |
|
|
|
|
_<sup>1</sup>The CAB is not downloaded properly in some environments_
|
|
|
|
_<sup>2</sup>The user needs to click on "Save" to download the file on IE_
|
|
|
|
# CAB file parser
|
|
|
|
The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
|
|
parser. It's a very quick and dirty CAB header viewer I developed to understand what was going on.
|
|
|
|
# Install
|
|
|
|
The generator is designed to work on Windows, as it uses the `makecab` utility. Before usage, be sure to install required dependencies:
|
|
|
|
* With Virtualenv
|
|
|
|
```
|
|
git clone https://github.com/klezVirus/CVE-2021-40444
|
|
cd CVE-2021-40444
|
|
pip install virtualenv
|
|
python -m virtualenv venv
|
|
venv\Scripts\activate.bat
|
|
pip install -r requirements
|
|
```
|
|
|
|
* Without Virtualenv
|
|
|
|
```
|
|
git clone https://github.com/klezVirus/CVE-2021-40444
|
|
cd CVE-2021-40444
|
|
pip install -r requirements
|
|
```
|
|
|
|
# Usage
|
|
|
|
The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows
|
|
versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as
|
|
I have more details to share, I'll post them here.
|
|
|
|
```
|
|
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]
|
|
|
|
[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
|
|
|
|
optional arguments:
|
|
-h, --help show this help message and exit
|
|
-P PAYLOAD, --payload PAYLOAD
|
|
DLL payload to use for the exploit
|
|
-u URL, --url URL Server URL for malicious references (CAB->INF)
|
|
-o OUTPUT, --output OUTPUT
|
|
Output files basename (no extension)
|
|
--host If set, will host the payload after creation
|
|
-c COPY_TO, --copy-to COPY_TO
|
|
Copy payload to an alternate path
|
|
-nc, --no-cab Use the CAB-less version of the exploit
|
|
-t, --test Open IExplorer to test the final HTML file
|
|
```
|
|
|
|
# Example
|
|
|
|
* Generate the original exploit and test it locally
|
|
|
|
```
|
|
python generator.py -u http://127.0.0.1 -P test\calc.dll --host
|
|
```
|
|
_Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension_
|
|
|
|
* Generate the CABless exploit with RAR and test it locally via IE
|
|
|
|
```
|
|
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t
|
|
```
|
|
|
|
* Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE
|
|
|
|
```
|
|
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
|
|
```
|
|
|
|
# Credits
|
|
|
|
* [RET2_pwn](https://twitter.com/RET2_pwn) for the amazing blog
|
|
* [j00sean](https://twitter.com/j00sean) for the good hints
|
|
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
|
|
* [Max_Mal](https://twitter.com/Max_Mal) for the hint on the alternate URI schemes
|
|
* [wdormann](https://twitter.com/wdormann) for the hint on the HTML file size restrictions
|
|
* [Edu_Braun_0day](https://twitter.com/Edu_Braun_0day) for the cool CAB-less version of the exploit
|
|
|