Share
## https://sploitus.com/exploit?id=1E02B057-FCE8-5F88-8BC9-0289C8F014BE
## CVE-2021-42292

This package will detect exploits of [CVE-2021-42292](https://vulners.com/cve/CVE-2021-42292), a Microsoft Excel local
privilege escalation vulnerability, and generate a notice in notice.log for it.

https://corelight.com/blog/detecting-cve-2021-42292  

#### Detection Method:

This package detects the vulnerability when the triggering Excel spreadsheet downloads a second spreadsheet.
The second spreadsheet is executed with elevated privileges.  We can detect Microsoft Excel downloading
a Microsoft Excel file with this script.  In our testing on some live networks we monitor,
this combination was extremely rare and we have not seen any false positives so far.

#### Usage:

```
$ zeek -Cr excelsploit_1.pcap packages

$ cat notice.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2021-11-10-10-56-50
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval        string  string  string  double  double
1636433584.277654       CeV1DA2EM1pRTfgWkc      127.0.0.1       51543   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='HEAD', user_agent='Microsoft Office Excel 2014', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'      127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
1636433584.311236       CgKWSM1bhhl7K8B6n8      127.0.0.1       51545   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='GET', user_agent='Mozilla/4.0 (compatible; ms-office; MSOffice 16)', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'  127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
#close  2021-11-10-10-56-50
```

Suricata rules are also provided that mirror the detection methodology of the
Zeek package.

#### Links:
* Associated blog including walk through of code elements:  
    * https://corelight.com/blog/detecting-cve-2021-42292   
* MIME Types:
    * https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
* Excel User Agents:
    * https://developers.whatismybrowser.com/useragents/explore/software_name/excel/