Critical Severity
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Description
Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/buffaloverflow/status/1436261107329642522
- https://twitter.com/jroosen/status/1435792491899494402
- https://twitter.com/decalage2/status/1436433067619622916
- https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/
- https://twitter.com/aaaddress1/status/1436393045939814400
Sublime Security
Created Aug 17th, 2023 • Last updated Dec 19th, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
(
.file_extension in~ $file_extensions_macros
or .file_extension =~ "rtf"
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
)
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.),
.flavors.mime == "text/xml"
and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*"))
)
)
)
Playground
Test against your own EMLs or sample data.