高危 Microsoft MSHTML 远程代码执行漏洞
CVE编号
CVE-2021-40444利用情况
POC 已公开补丁情况
缓解措施披露时间
2021-09-07漏洞描述
微软AcitveX控件在Windows的Office套件、IE游览器中有广泛的应用,通常用来与MSHTMl组件进行交互。 Microsoft MSHTML引擎存在远程代码执行漏洞,攻击者可构造带有恶意ActiveX控件的Microsoft Office文档,并诱导目标用户打开该文档来利用。成功利用此漏洞的远程攻击者可在系统上以该用户的权限执行任意代码。 影响版本: Windows 7 for x64-based Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows RT 8.1 Windows 8.1 for x64-based systems Windows 8.1 for 32-bit systems Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32-bit Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems解决建议
目前微软没有发布安全更新,目前仅提供了临时缓解措施,在默认情况下,Microsoft Office 在保护视图或Application Guard中打开来自Internet的文档,都可以防止当前的攻击。在 Internet Explorer 中禁用所有 ActiveX 控件的安装可以减轻这种攻击,可以通过更新注册表为所有站点应用。具体操作步骤:1.在单个系统上禁用 ActiveX 控件:要禁止在 Internet Explorer 中的所有区域安装 ActiveX 控件,可以将以下内容粘贴到文本文件中并使用 .reg 文件扩展名保存:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]"1001"=dword:00000003"1004"=dword:00000003[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]"1001"=dword:00000003"1004"=dword:00000003[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]"1001"=dword:00000003"1004"=dword:00000003[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]"1001"=dword:00000003"1004"=dword:000000032.双击 .reg 文件以将其应用到您的策略配置单元。3.重新启动系统以确保应用新配置。该措施可导致的影响:这会将 64 位和 32 位进程的所有 Internet 区域的 URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) 和 URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) 设置为 DISABLED (3)。并不会安装新的 ActiveX 控件。以前安装的 ActiveX 控件将继续运行。如何撤消解决此措施:删除以上措施中添加的注册表项受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 1607 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 1809 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 1909 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 2004 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 20h2 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_10 | 21h1 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_7 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_8.1 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_rt_8.1 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2008 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2008 | r2 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2012 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2016 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2016 | 2004 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2016 | 20h2 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2019 | - | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | microsoft | windows_server_2022 | - | - | |||||
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 POC 已公开
- 补丁情况 缓解措施
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-22 | 对路径名的限制不恰当(路径遍历) |
| NVD-CWE-noinfo |
Exp相关链接
- https://github.com/34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit
- https://github.com/aslitsecurity/CVE-2021-40444_builders
- https://github.com/Edubr2020/CVE-2021-40444--CABless
- https://github.com/klezVirus/CVE-2021-40444
- https://github.com/lockedbyte/CVE-2021-40444
- https://github.com/Udyz/CVE-2021-40444-Sample
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论