关联漏洞
标题:Microsoft Excel 安全漏洞 (CVE-2021-42292)Description:Microsoft Excel是美国微软(Microsoft)公司的一款Office套件中的电子表格处理软件。 Microsoft Excel 存在安全漏洞。以下产品和版本受到影响:Microsoft Excel 2016 (32-bit edition),Microsoft Excel 2016 (64-bit edition),Microsoft Office 2016 (32-bit edition),Microsoft Office 2016 (64-bit edition),Microsoft
Description
A Zeek package to detect CVE-2021-42292, a Microsoft Excel local privilege escalation exploit.
介绍
## CVE-2021-42292
This package will detect exploits of [CVE-2021-42292](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42292), a Microsoft Excel local
privilege escalation vulnerability, and generate a notice in notice.log for it.
https://corelight.com/blog/detecting-cve-2021-42292
#### Detection Method:
This package detects the vulnerability when the triggering Excel spreadsheet downloads a second spreadsheet.
The second spreadsheet is executed with elevated privileges. We can detect Microsoft Excel downloading
a Microsoft Excel file with this script. In our testing on some live networks we monitor,
this combination was extremely rare and we have not seen any false positives so far.
#### Usage:
```
$ zeek -Cr excelsploit_1.pcap packages
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-11-10-10-56-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1636433584.277654 CeV1DA2EM1pRTfgWkc 127.0.0.1 51543 127.0.0.1 80 - - - tcp CVE_2021_42292::CVE_2021_42292 127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information host='127.0.0.1', method='HEAD', user_agent='Microsoft Office Excel 2014', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1636433584.311236 CgKWSM1bhhl7K8B6n8 127.0.0.1 51545 127.0.0.1 80 - - - tcp CVE_2021_42292::CVE_2021_42292 127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information host='127.0.0.1', method='GET', user_agent='Mozilla/4.0 (compatible; ms-office; MSOffice 16)', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-11-10-10-56-50
```
Suricata rules are also provided that mirror the detection methodology of the
Zeek package.
#### Links:
* Associated blog including walk through of code elements:
* https://corelight.com/blog/detecting-cve-2021-42292
* MIME Types:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
* Excel User Agents:
* https://developers.whatismybrowser.com/useragents/explore/software_name/excel/
文件快照
[4.0K] /data/pocs/d93ea065702b67c109a181b3a13961c71e1acf14
├── [ 29] COPYING
├── [1.5K] LICENSE
├── [3.1K] README.md
├── [4.0K] scripts
│ ├── [ 32] __load__.zeek
│ └── [2.5K] main.zeek
├── [1.5K] suricata.rules
├── [4.0K] testing
│ ├── [ 565] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ └── [4.0K] Scripts
│ ├── [ 383] diff-remove-timestamps
│ ├── [1.3K] get-zeek-env
│ └── [ 303] README
└── [ 391] zkg.meta
4 directories, 13 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。