Tools used
- oleobj
- re-search.py
- zipdump.py
- number-to-string.py
What is CVE-2021–40444?
The CVE-2021–40444 vulnerability was a vulnerability found in the MS Office suite that can be triggered using a malicious external OLE relationship. The vulnerability uses CAB files and path traversal to run DLL file to achieve RCE on the victim. An analysis of the attack has been reported by TrendMicro
Solution #1: Easy mode
The easiest way to solve these challenges would be use oleobj tool from the oletools. The tool can extract External Relationships from OOXML file and thus can be used to extract the exploit URLs embedded in each documents.
Solution #2: Only using supplied tools
While using oleobj gives us easy wins, it is not one the supplied tools. To use those tools we need to look at the official documentation of OOXML format.
According to the specification,
In addition to the relationships part for the package, each part that is the source of one or more relationships will have its own relationships part. Each such relationship part is found within a _rels sub-folder of the part and is named by appending ‘.rels’ to the name of the part. Typically the main content part (document.xml) has its own relationships part. It will contain relationships to the other parts of the content, such as styles.xml, themes,xml, and footer.xml, as well as the URIs for external links.
Thus we can inspect the word/_rels/document.xml.rels file to extract the external relationship used in each of these Word documents.
Analysis of each sample
2 samples have been analyzed using the 1st technique while the last 2 have been analyzed using the 2nd technique.
