MSHTML — LetsDefend

Ritam Dey
2 min readOct 3, 2022

--

Image credits: Let’s Defend

Scenario/Challenge Details

2021’s 0-Day MSHTML

This refers to CVE-2021–40444 vulnerability present in MS Office suite

Challenge link here

Tools used

  1. oleobj
  2. re-search.py
  3. zipdump.py
  4. number-to-string.py

What is CVE-2021–40444?

The CVE-2021–40444 vulnerability was a vulnerability found in the MS Office suite that can be triggered using a malicious external OLE relationship. The vulnerability uses CAB files and path traversal to run DLL file to achieve RCE on the victim. An analysis of the attack has been reported by TrendMicro

Solution #1: Easy mode

The easiest way to solve these challenges would be use oleobj tool from the oletools. The tool can extract External Relationships from OOXML file and thus can be used to extract the exploit URLs embedded in each documents.

Solution #2: Only using supplied tools

While using oleobj gives us easy wins, it is not one the supplied tools. To use those tools we need to look at the official documentation of OOXML format.

According to the specification,

In addition to the relationships part for the package, each part that is the source of one or more relationships will have its own relationships part. Each such relationship part is found within a _rels sub-folder of the part and is named by appending ‘.rels’ to the name of the part. Typically the main content part (document.xml) has its own relationships part. It will contain relationships to the other parts of the content, such as styles.xml, themes,xml, and footer.xml, as well as the URIs for external links.

Thus we can inspect the word/_rels/document.xml.rels file to extract the external relationship used in each of these Word documents.

--

--

No responses yet