CVE-2021–40444 MSHTML vulnerability (RCE)

Microsoft MSHTML Remote Code Execution Vulnerability

Technical Explanation (According to Microsoft)

The exploit document uses an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into wabmig.exe (Microsoft address import tool.) (This is according to the Microsoft Official blog)

Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader’s payload communicates with. (Microsoft Blog)

Content that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document’s payload executed immediately without user interaction — indicating the abuse of a vulnerability.

Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021–40444 (Microsoft Blog)

Microsoft 365 Defender detection details

You can find more details about this at the official Microsoft blog

Summary (Simple Explanation for Beginners)

How it Works
A Microsoft word file downloads a javascript file, and that javascript file downloads a . DLL file and the DLL file open a connection with the attacker using cobalt strike, all of this happens using the Microsoft word macros (Microsoft already released a patch)

DLL File: A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box-related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box.

Macros: Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.

CobaltStrike: Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.

PoC (⚠ For Educational Purposes Only)

Credits to NeurosisMorocco, and Locked Byte

Resources I Used To Write This Blog

Microsoft Official Blog
CVE MITRE
NeurosisMoroco Youtube Channel
Locked Byte GitHub Repo

I love connecting with different people so if you want to say hi, I’ll be happy to meet you more! :)

LinkedIn
Twitter