CVE-2021-42292 PoC — Microsoft Excel Security Feature Bypass Vulnerability

Source

Associated Vulnerability

Description

A Zeek package to detect CVE-2021-42292, a Microsoft Excel local privilege escalation exploit.

Readme

## CVE-2021-42292

This package will detect exploits of [CVE-2021-42292](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42292), a Microsoft Excel local
privilege escalation vulnerability, and generate a notice in notice.log for it.

https://corelight.com/blog/detecting-cve-2021-42292  

#### Detection Method:

This package detects the vulnerability when the triggering Excel spreadsheet downloads a second spreadsheet.
The second spreadsheet is executed with elevated privileges.  We can detect Microsoft Excel downloading
a Microsoft Excel file with this script.  In our testing on some live networks we monitor,
this combination was extremely rare and we have not seen any false positives so far.

#### Usage:

```
$ zeek -Cr excelsploit_1.pcap packages

$ cat notice.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2021-11-10-10-56-50
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval        string  string  string  double  double
1636433584.277654       CeV1DA2EM1pRTfgWkc      127.0.0.1       51543   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='HEAD', user_agent='Microsoft Office Excel 2014', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'      127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
1636433584.311236       CgKWSM1bhhl7K8B6n8      127.0.0.1       51545   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='GET', user_agent='Mozilla/4.0 (compatible; ms-office; MSOffice 16)', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'  127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
#close  2021-11-10-10-56-50
```

Suricata rules are also provided that mirror the detection methodology of the
Zeek package.

#### Links:
* Associated blog including walk through of code elements:  
    * https://corelight.com/blog/detecting-cve-2021-42292   
* MIME Types:
    * https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
* Excel User Agents:
    * https://developers.whatismybrowser.com/useragents/explore/software_name/excel/

File Snapshot

 [4.0K]  /data/pocs/d93ea065702b67c109a181b3a13961c71e1acf14
├── [  29]  COPYING
├── [1.5K]  LICENSE
├── [3.1K]  README.md
├── [4.0K]  scripts
│   ├── [  32]  __load__.zeek
│   └── [2.5K]  main.zeek
├── [1.5K]  suricata.rules
├── [4.0K]  testing
│   ├── [ 565]  btest.cfg
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [  28]  Makefile
│   └── [4.0K]  Scripts
│       ├── [ 383]  diff-remove-timestamps
│       ├── [1.3K]  get-zeek-env
│       └── [ 303]  README
└── [ 391]  zkg.meta

4 directories, 13 files

Remarks