On September 7, 2021 Microsoft disclosed an actively exploited Remote Code Execution (RCE) vulnerability in MSHTML (CVE-2020-40444) with a CVSS score of 8.8. MSHTML, also known as Trident, is a proprietary browser engine found in the now-discontinued Internet Explorer.
It is also used in Microsoft Office products to render web content inside Word, Excel, and PowerPoint documents. More than 70% of the users in the world use a Windows operating system as their daily driver and this vulnerability affects every version of the Windows machine.
According to Microsoft, “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.”
In order to successfully exploit this vulnerability, all an attacker has to do is use specially crafted malicious Microsoft Office documents and use phishing or social engineering to deliver it.
When the victim opens this document, MS Office will automatically retrieve the attacker’s payload using the script and execute a malicious script on the victim’s system.
First of all, attackers need to craft a malicious MS Office document file. For that, they create a normal document file. Then they unpack it to its components.
From the unpacked document components, attackers modify the relationship file document.xml.rels
to point it to an external or malicious html link. Relationship files describe how the document should behave and it contains internal/external resources such as font, theme, and web settings, etc.
Given below is an example of a document.xml.rels file.
Next, attackers need to add an OLE object with the same relationship ID. Object Linking and Embedding (OLE) objects are used to make content, created in one program, and available in Word documents.
Given below is an example of a document.xml file.
After modifying the document.xml.rels and document.xml, attackers repack the document file. Final process is to create a .dll file, convert it into Cabinet file format and specify the cab locations and INF file in the html file of the malicious website.
When a user opens this Microsoft Office document, containing an MHTML OLE object, that is the website entered in the Relationship file document.xml.rels which is an attacker-controlled endpoint.
The website executes a JavaScript code that starts an ActiveX instance in the MSHTML browser engine.
The JavaScript in the Website code retrieves and opens a cabinet archive (.cab) file which contains a malicious DLL bearing an INF (Setup Information file) file.
When the CAB file is decompressed it executes the INF file as a Control Panel (.cpl) file using the control.exe (Control Panel utility)
Due to a Path traversal (ZipSlip) vulnerability in the CAB, attackers can store the INF in %TEMP% directory.
Then, the INF file is opened using the Control Panel utility causing the side-loading of the INF file via the rundll32.exe program (rundll32.exe program is used to run the dll program file.).
As this includes phishing or social engineering to deliver the payload, this attack can be easily avoided by following good cyber security best practices. Don’t open documents or any files from unknown sources, and be suspicious of unusual email attachments.
Microsoft has officially released patches for affected products. In situations where updating a Windows system may be difficult, Microsoft has also published workarounds. It can be used to disable ActiveX using group policy or with a custom registry key and a Windows Explorer preview disable registry edit that will prevent scripts from being run in without fully opening a document.