CVE-2021-40444 security alert: the response of Stormshield products

Published on: 10 09 2021 | Modified on: 30 01 2024

Author: Cyril Cléaud

4 minutes

Zero-days are back, with a vulnerability in Microsoft's HTML rendering engine. Stormshield Customer Security Lab provides an update on a critical vulnerability.

The context of the attack

Microsoft has published this Tuesday a critical vulnerability allowing remote code execution (CVE-2021-40444, CVSS score 8.8) impacting his internet rendering engine MSHTML, used by many other programs including Internet Explorer. Even if IE has been replaced by Microsoft Edge, it is still present in modern Microsoft operating system, and some programs are still using it, including the Office suite.

Because this Zero-day vulnerability is in the MSTHML module which can be used by any application wanted to show a web page, it can be exploited by a malicious Office document (Excel, Word, Powerpoint) with an embedded web page reference. Some cybercriminal groups are already using this vulnerability to propagate ransomware.

Initial exploitation vector

This vulnerability is exploited through web page reference dissimulated into an office document (mostly Word) and propagated using mailing tools. The vulnerability, exploited when the user opens the document, allow the attacker to run arbitrary code remotely (RCE).

To open the document, Microsoft Word must download a remote web page, referenced into the document. Once the document is opened, the web content (a JS code) is downloaded and executed into MSHTML ActiveX component of Microsoft Word. Legitimate behaviour so far. The JS code then downloads the viral package (a ransomware of course) presented as a CAB package which contain a DLL file, a trigger the decompression thanks to an HTML “<object>”. The script then exploits the vulnerability itself by changing the URL of the MSHTML component allowing the uncompressed DLL to be charged into “rundll32.exe”.

The DLL is executed with local privilege and the device is compromised. So far, our teams did not noted privilege escalation during this cyberattack.

The vulnerability is present on 42 windows version, from Windows 7 SP1 (32 or 64 bits) up to Windows 10 (1809).

Technical details of the attack

A. CVE exploitation details

The global attack schema is as follow: An attacker sends an email with a corrupted document, and the targeted user opens the document in Microsoft Office. In our example, we assume that Office 2007+ open the document. Here are the details:

Fig 1: exploitation schema of vulnerability CVE-2021-40444

1. Microsoft Word precharge the document and detects an html reference to a web server. The ActiveX MSHTML component is called and render the targeted web page.
2. Word, through the ActiveX component, download the HTML document.
3. The web page is actually controlled by the attacker and hosts an obfuscated Javascript code. The code is executed and start almost 10 MSHTML component inside the web page.
4. The final payload is downloaded as a CAB file by the JS code using XmlHttpRequest This is possible because the IE engine does not take in charge Cross-Origin restrictions.
5. The CAB payload is actually a DLL file. The filename is « championship.inf ». The extension .inf is used to disrupt EDR detection. The CAB package is using a directory “..”. This is an important detail because it means that files will be stored in a cache directory in a random folder, unknown from the attacker. The attacker will then use a reference relative access to navigate the malware folders.
6. JS code continue to execute and run an « object » HTML and extract the DLL into « ../championship.inf ». This is a standard behavior, it was used by Flash Player in the 2000. Note that the CAB file was already downloaded before and was stored into the local cache.
7. The JS code then use the multiple ActiveX started before. It applies the value « .cpl:123 » to the « document.URL » parameter. At this point, the ActiveX, not being able to open “.cpl” file, transfers its control to the associated program “control.exe”:

This program is a bypass to “rundll32.exe” and this command ligne is used: « "C:\WINDOWS\system32\rundll32.exe" Shell32.dll,Control_RunDLL ".cpl:123", » :

With this command line, the “123” file is executed by “rundll32.exe”:

This technic is then used by allow the running ActiveX component to send the following URL:

The result is N attempt to charge the DLL file in random places, whishing one of them will work. Which will inevitably append.

The file “championship.inf” is charged and the machine is corrupted.

B. IoC

Domain name:

Hidusi[.]com
joxinu[.]com
dodefoh[.]com
pawevi[.]com
sagoge[.]com
comecal[.]com
rexagi[.]com
macuwuf[.]com

URI:

/e8c76295a5f9acb7
/e273caf2ca371919
/94cc140dcee6068a
/e32c8df2cf6b7a16

http header:

ETag: "18f1-5caee365a20d1"
ETag: "20b060-5caee369535c1"

.docx files hash:

d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
a5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00

Dlls (beacon Cobalstrike):

6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

Others:

Letter before court 4.docx
html
cab
inf

Means of protections provided by Stormshield

A. Stormshield Network Security Protection

SNS protection are realized through IPS module with 3 new signatures:

http:client:header.214 : detects C2C connexions to IoC Hosts and URI
http:server:header.46 and http:server.6: detect and block download of CAB file known as of today

Confidence in Stormshield protection

B. Stormshield Endpoint Security Protection

SES (7.2 and Evoultion) provide two rules crafted to prevent exploitation of CVE-2021-40444:

The first one prevents creation of control.exe process by the Office Suite;
The second one limit the capacity of Microsoft Office to charge or access DLLs of type jscript*.dll, which is a solution to block the attack chain used to exploit vulnerability.

Confidence in Stormshield protection

C. Recommandation

The recommendation below does not concern Stormshield solutions but can be used to prevent exploitation of the vulnerability:

Deactivate ActiveX execution on the Office Suite configuration through GPO
Deactivate Microsoft Explorer previsualization (Shell Preview)

Tags : Cybersecurity - by Stormshield

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]

Our Threat Intelligence team has two key missions: to study cyber threats in order to understand them, and to continuously improve the protection offered by Stormshield products. The goal in each case is to contribute to the cybersecurity community's effort to address cyber threats.

Threat Intelligence Stormshield

About the author

Cyril Cléaud Cybersecurity Engineer, Stormshield

As a curious child, Cyril tried to understand how to use the Motorola 68000 microprocessor directly in machine code. Later, passionate about computer security and "machine-like" developments, he still loves technical challenges. Especially when it comes to manipulating a disassembler or dealing with the latest cyber threats. After a 12-year career in a large French company, he now devotes himself to his favourite activities at Stormshield to propose answers to these threats.

Last articles

JetBrains TeamCity Security Alert : Stormshield’s product response

24 04 2024

Security Alert D-Link CVE-2024-3272 & CVE-2024-3273: Stormshield’s product response

10 04 2024

Security alert Microsoft Office CVE-2024-21413: Stormshield Products Response

28 02 2024

See all articles from Alert