CVE-2021-40444:MSHTML RCE预警

偏执的太偏执、 2022-09-11 05:19 93阅读 0赞

## 影响范围 ##

*  Windows Server, version 20H2 (Server Core Installation)
 *  Windows Server, version 2004 (Server Core installation)
 *  Windows Server 2022 (Server Core installation)
 *  Windows Server 2022
 *  Windows Server 2019 (Server Core installation)
 *  Windows Server 2019
 *  Windows Server 2016 (Server Core installation)
 *  Windows Server 2016
 *  Windows Server 2012 R2 (Server Core installation)
 *  Windows Server 2012 R2
 *  Windows Server 2012 (Server Core installation)
 *  Windows Server 2012
 *  Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
 *  Windows Server 2008 for x64-based Systems Service Pack 2
 *  Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
 *  Windows Server 2008 for 32-bit Systems Service Pack 2
 *  Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
 *  Windows Server 2008 R2 for x64-based Systems Service Pack 1
 *  Windows RT 8.1
 *  Windows 8.1 for x64-based systems
 *  Windows 8.1 for 32-bit systems
 *  Windows 7 for x64-based Systems Service Pack 1
 *  Windows 7 for 32-bit Systems Service Pack 1
 *  Windows 10 for x64-based Systems
 *  Windows 10 for 32-bit Systems
 *  Windows 10 Version 21H1 for x64-based Systems
 *  Windows 10 Version 21H1 for ARM64-based Systems
 *  Windows 10 Version 21H1 for 32-bit Systems
 *  Windows 10 Version 20H2 for x64-based Systems
 *  Windows 10 Version 20H2 for ARM64-based Systems
 *  Windows 10 Version 20H2 for 32-bit Systems
 *  Windows 10 Version 2004 for x64-based Systems
 *  Windows 10 Version 2004 for ARM64-based Systems
 *  Windows 10 Version 2004 for 32-bit Systems
 *  Windows 10 Version 1909 for x64-based Systems
 *  Windows 10 Version 1909 for ARM64-based Systems
 *  Windows 10 Version 1909 for 32-bit Systems
 *  Windows 10 Version 1809 for x64-based Systems
 *  Windows 10 Version 1809 for ARM64-based Systems
 *  Windows 10 Version 1809 for 32-bit Systems
 *  Windows 10 Version 1607 for x64-based Systems
 *  Windows 10 Version 1607 for 32-bit Systems

## 漏洞类型 ##

远程命令执行

## 利用条件 ##

影响范围应用

## 漏洞概述 ##

2021年9月8日，微软发布安全通告披露了Microsoft MSHTML远程代码执行漏洞，攻击者可通过制作恶意的ActiveX控件供托管浏览器呈现引擎的 Microsoft Office文档使用，成功诱导用户打开恶意文档后，可在目标系统上以该用户权限执行任意代码，微软在通告中指出已检测到该漏洞被在野利用，请相关用户采取措施进行防护。

MSHTML(又称为Trident)是微软旗下的Internet Explorer浏览器引擎，也用于Office应用程序，以在Word、Excel或PowerPoint文档中呈现Web托管的内容，AcitveX控件是微软COM架构下的产物，在Windows的Office套件、IE浏览器中有广泛的应用，利用ActiveX控件即可与MSHTML组件进行交互。

## 漏洞复现 ##

**出于安全规范，本文不给出具体利用过程，仅以证明为主，警示相关行业人员进行紧急修复!!!**

命令执行：

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16][]

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 1][]

社工钓鱼：

切勿打开任何来历不名的Office应用

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 2][]

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 3][]

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 4][]

## 安全建议 ##

1、临时缓解

在Internet Explorer中禁用所有区域的ActiveX控件安装可缓解此漏洞攻击，可通过创建注册表文件禁用ActiveX控件(建议备份后再进行操作)

a、将以下方框中的内容粘贴到文本文件中并使用.reg文件扩展名保存

Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1001"=dword:00000003
    "1004"=dword:00000003

b、双击.reg 文件，将其应用到策略配置单元

c、重新启动系统以确保应用新配置

备注：如果要撤消此缓解措施，可以直接通过删除在实施此操作时添加的注册表项来实现

2、产品更新防护

目前Microsoft Defender Antivirus和Microsoft Defender for Endpoint都支持为已知漏洞提供检测和保护，请相关用户及时更新反恶意软件产品，使用自动更新的用户无需采取额外措施，管理更新的企业客户应选择检测版本1.349.22.0或更高版本，并在环境中进行部署，Microsoft Defender for Endpoint警报将显示为:"可疑的Cpl文件执行"

[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16]: /images/20220828/c40c151fff9a4a9683779cf483f82e84.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 1]: /images/20220828/1bfbcb3239f94a3694e5a2ff8039c901.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 2]: /images/20220828/3b66c22a58b647f3a4c4659331f030c7.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 3]: /images/20220828/5f316a7ce311401684ec4ea5ab95cdd3.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBARkx5X-m5j-eoi-S4h-mHjA_size_20_color_FFFFFF_t_70_g_se_x_16 4]: /images/20220828/11c57bb9920e4f86987012ff3345cb0e.png