CVE-2021–40444 MSHTML vulnerability (RCE)

Microsoft MSHTML Remote Code Execution Vulnerability

Technical Explanation (According to Microsoft)

The exploit document uses an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into wabmig.exe (Microsoft address import tool.) (This is according to the Microsoft Official blog)

Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader’s payload communicates with. (Microsoft Blog)

Content that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document’s payload executed immediately without user interaction — indicating the abuse of a vulnerability.

Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021–40444 (Microsoft Blog)

Microsoft 365 Defender detection details

You can find more details about this at the official Microsoft blog

Summary (Simple Explanation for Beginners)

How it Works
A Microsoft word file downloads a javascript file, and that javascript file downloads a . DLL file and the DLL file open a connection with the attacker using cobalt strike, all of this happens using the Microsoft word macros (Microsoft already released a patch)

DLL File: A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box-related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box.

Macros: Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.

CobaltStrike: Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.

PoC (⚠ For Educational Purposes Only)

Credits to NeurosisMorocco, and Locked Byte

Resources I Used To Write This Blog

Microsoft Official Blog
NeurosisMoroco Youtube Channel
Locked Byte GitHub Repo

I love connecting with different people so if you want to say hi, I’ll be happy to meet you more! :)





Software Engineering Student | Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to move from MetaMask to TokenPocket

Attacking Windows EFS With Metasploit

{UPDATE} Baby Shark Match: Ocean Jam Hack Free Resources Generator

Breaking Reset Password Logic To Get Account Takeover Without User Interaction


{UPDATE} Chess Deluxe Hack Free Resources Generator

WSO2 IS Analytics for Risk based Adaptive Authentication

What can we do about the privacy breach by Paytm?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Noureldin Ehab | Creeper.exe

Noureldin Ehab | Creeper.exe

Software Engineering Student | Cyber Security Enthusiast

More from Medium

HackTheBox — Previse Walkthrough

Vulnhub — Hacksudo:Search


TCMSecurity | Dev | Write-up