ANNOUNCEMENT

Microsoft Support Diagnostic Tool (MSDT) Vulnerability

Introduction

National Cyber Coordination and Command Centre (NC4) is aware of active exploitation of the zero day vulnerability affecting Microsoft Support Diagnostic Tool (MSDT) in Windows (CVE-2022-30190). This vulnerability can be exploited by an attacker sending a malicious document that utilises Microsoft Word’s external link feature to retrieve the remote malicious file, then using the Microsoft Support Diagnostic Tool to execute PowerShell code. Successful exploitation of the vulnerability will allow an attacker to install programs, view or tamper data, or create new accounts in line with the victim’s user permissions. It can potentially be used to launch attacks towards other resources within the internal network.

Proof of Concept (PoC) code to exploit this vulnerability is available online and has been integrated into common exploitation frameworks and tools. Disabling Microsoft Office Macros does not prevent exploitation of this vulnerability.

Impact

Information leakage, denial of service, loss of data integrity.

Brief Description

Microsoft has recently published a blog and issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. When installing Microsoft Office under a recent Windows system, it is observed that some default handlers for protocols are added during the process. Protocol and file handlers functionalities are to instruct Windows which application to use in interpreting file extension and protocol schemes and are defined in HKEY_CLASSES_ROOT.

The “ms-msdt” protocol handler has elements written in PowerShell, which allow PowerShell expansion work in the IT_BrowseForFile parameter in msdt.exe. Based on the sample Word document, it’s observed that by abusing the Microsoft Word remote template feature, it was used to retrieve a remote HTML file that uses the ms-msdt Office URI scheme to execute PowerShell within the context of Word. A malicious JavaScript embedded within the remote HTML uses the ms-msdt schema to invoke the PCWDiagnostic pack, to reference the IT_BrowseForFile to execute the base64-encoded PowerShell Invoke-Expression command.

The vulnerability in this attack lies in calling the Microsoft Support Diagnostic Tool using the ms-msdt URL Protocol within Word via the remotely loaded template file. This allows execution of code within the context of Microsoft Word, even if macros features are disabled. "Protected View'' feature does prevent this exploit from occurring, however once a user activates ‘Enable Editing’, this exploitation will occur. Moreover, if the malicious document has been changed into Rich Text Format (RTF), the exploit will occur even if the user simply views the file in the preview pane.

Based on an advisory from Microsoft on CVE-2022-30190 indicates that exploitation has been detected in the wild. While no patch has been released for this vulnerability yet and given the potential impact to customers and their businesses, Microsoft strongly advises all its customers to apply recommended mitigation workaround to minimise the risk of the attack.

Therefore, NC4 recommends that all organisations are urged to take the necessary actions to prevent your organisation from becoming a victim of this attack that may interrupt your daily operation. This advisory is a live document and will be updated based on new development and finding.

Affected Product

Microsoft Office in Windows platform.

Recommendation

Organisations are advised to be vigilant and to take the following actions:

Mitigations:

  1. Remove the Protocol Handler from system to prevent exploitation
    • Recommended by Microsoft but advisable to do backup first
    • Use following command as Administrator to remove Protocol Handler:
      reg delete hkcr\ms-msdt /f
  2. Disable Troubleshooting Wizards
    • Disabling troubleshooting tools via Group Policy Object (GPO); or
      Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
    • Use following command as Administrator to disable troubleshooting tools manually:
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\
      ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0

Detection:

  1. Monitor - Process Creation (msdt.exe)
    • Alert on process execution of msdt.exe with a parent of WinWord.exe using System Monitor (Sysmon)
  2. Monitor - Process Creation (sdiagnhost.exe)
    • Alert on sdiagnhost.exe creating new processes, particularly those that may represent exploitation
  3. Monitor - Network Connection (WinWord.exe)
    • To trigger execution, Word must retrieve a linked document that redirects it to the ms-msdt protocol handler
    • Winword.exe regularly makes network connections, but usually only to Microsoft.com and Office.com domains
  4. Monitor - Network Connection (sdiagnhost.exe)
    • In some cases, a web request will be performed to download additional PowerShell code or tools

Hunting/Forensic:

  1. Check Office Server Cache
    • Office store logs that URLs contacted through Office in its own Internet cache
    • The presence of a URL only means it was contacted, not that it was used in an attack
    • Use following command to query the cache:
      reg query "hkcu\software\microsoft\office\16.0\common\
      internet\server cache"
  2. Use Yara Rules
    • Rule from Joe Security only works if you can monitor command line execution
    • Not meant for Office document scanning
      rule Follina_CVE_2022_30190 { meta: author = "Joe Security" reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e" strings: $msdt1 = "ms-msdt:/id" ascii wide nocase $msdt2 = "ms-msdt:-id" ascii wide nocase $para1 = "IT_RebrowseForFile" ascii wide nocase condition: (1 of ($msdt*) and 1 of ($para*)) }

References

  1. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
  2. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
  3. https://www.sans.org/webcasts/emergency-webcast-msdt-ms-word-0-day/
  4. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
  5. https://nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/
  6. https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/
  7. https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis?referrer=blog
  8. https://blog.syss.com/posts/abusing-ms-office-protos/
  9. https://joesecurity.org/resources/follina.yara
  10. 02-06-2022

CONTACT US

NATIONAL CYBER SECURITY AGENCY (NACSA)

National Security Council
Prime Minister's Department
Level LG & G, West Wing,
Perdana Putra Building,
Federal Government Administrative Center,
62502 Putrajaya, Malaysia.

FOLLOW US

Number of Visitors Last Updated
451,870 27 June 2022