skip to Main Content

THREAT ALERT: Microsoft MSHTML Remote Code Execution Vulnerability

The Cybereason Global Security Operations Center (SOC) issues Cybereason threat alerts to notify customers of emerging threats having an impact. Alerts summarize these threats and provide practical recommendations to protect against them.

What is happening?

Cybereason GSOC Managed Detection and Response (MDR) team investigates CVE-2021-40444, a critical vulnerability in the Microsoft Hypertext Markup Language (MSHTML) web content rendering engine used by Microsoft Office applications. This vulnerability allows attackers to use malicious ActiveX controls to execute arbitrary code on target systems.

This threat alert focuses on vulnerability CVE-2021-40444 as exploited through malicious Office documents. However, other applications that also use the MSHTML engine, such as Internet Explorer, can also be exploiting the vulnerability.

Key observations

    • Zero-day vulnerability: Adversaries exploited CVE-2021-40444 as a zero-day vulnerability to run malicious code on target systems.
    • Social engineering: To exploit vulnerability CVE-2021-40444, attacker tricks a user to open a specially crafted Office document and click Allow content to deactivate Microsoft Office Protected view characteristic. The Protected view The feature is enabled by default and blocks the execution of potentially malicious code in the context of Office documents.
    • No patch available: No patch for CVE-2021-40444 is available at the time of writing this threat alert. Cybereason recommends that you disable ActiveX controls if these controls are not needed on the machine. The Cybereason team provides further recommendations in the Cyber-reason recommendations heading below.

Analysis

CVE-2021-40444 is a critical vulnerability in the MSHTML rendering engine. Microsoft Office applications use the MSHTML engine to process and display web content. An adversary who successfully exploits CVE-2021-40444 could gain full control over a target system by using malicious ActiveX controls to execute arbitrary code.

Malicious actors exploit CVE-2021-40444 using specially crafted Microsoft Office documents. Such a typical document uses the MSHTML engine to open a malicious website hosted on an endpoint controlled by an attacker. This website exists as a MIME HTML (MHTML) Object Linking and Embedding (OLE) object in the context of the document. The website executes JavaScript code and ActiveX controls which then execute malicious code on the system where the malicious Office document was opened. This code is hosted on the attacker’s controlled endpoint as a dynamic link library (DLL).

To exploit the CVE-2021-40444 vulnerability, the attacker tricks a user to open a specially crafted Office document and click Allow content to deactivate Microsoft Office Protected view characteristic. The Protected view The feature is enabled by default and blocks the execution of potentially malicious code in the context of Office documents.

A specific use of CVE-2021-40444 observed in practice involves the following activities:

    • A malicious actor tricks a user into opening a Microsoft Office document containing an MHTML OLE object that is a website hosted on an endpoint controlled by an attacker.

An MSHTML OLE object in a specially crafted Microsoft Office document

    • The website executes obfuscated JavaScript code that instantiates ActiveX controls:

unnamed-Sep-10-2021-06-38-08-76-PMObfuscated JavaScript code that instantiates ActiveX controls

    • The site code retrieves and opens a cabinet archive (.Taxi) named file ministry.cab of the endpoint controlled by the attacker. This file contains a malicious DLL named championship.inf.
    • The website code executes the championship.inf file as Control Panel (.cpl) file using the Control Panel utility control.exe. For example, the website code can run the following command:
      control.exe .cpl: ../../../ AppData / Local / Temp / championship.inf.
    • The control.exe The utility runs as a child process of the process that hosts the Microsoft Office application that opened the Office document, such as winword.exe.
    • The malicious DLL file championship.inf runs as part of the rundll32.exe Windows utility.

Cyber-reason recommendations

Cybereason recommends the following:

    • Disable ActiveX controls if these controls are not needed on the machine. To do this, configure the associated registry values ​​by running the following command Windows registry file (.reg) and restart the system:

Windows Registry Editor version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionParametersInternetZones[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternetSettingsZones[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionParamètresInternetZones[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternetSettingsZones

Source link

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top