Microsoft windows

Coverage Advisory for CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

By Terry J. Morgan

Background

On May 27, 2022, nao_sec found a malicious Word document submitted to Virustotal from a Belarusian IP address. The document abused the MS-MSDT URI scheme to run PowerShell in the context where Word was circumventing local Office macro policies. Microsoft has since released protection advisories and assigned CVE-2022-30190 to this vulnerability.

What is the solution?

Malicious Word documents can use the remote template feature to retrieve an HTML file from a remote server, and HTML code can use Microsoft’s MS-MSDT URI protocol scheme to load additional code and execute PowerShell code.

For most malicious Office documents, users must be convinced to click on two separate prompts:

Enable editing (protected mode)
Activate content (run macros)

To exploit this vulnerability, the attacker just needs the user to open the office document. If an RTF file is used with this exploit, the same vulnerability can be exploited if the user simply previews the RTF file using the preview pane in Windows Explorer.

According to Microsoft, “A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from a calling application such as Word. An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application. The attacker can then install programs, consult, modify or delete data, or create new accounts within the framework permitted by the rights of the user”.

Which systems are impacted?

This vulnerability affects all client and server platforms running the following versions of Windows operating systems.

Windows Server 2012 R2 (server kernel installation)
Windows Server 2012 R2
Windows Server 2012 (server kernel installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64 systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit systems Service Pack 1
Windows Server 2016 (server core installation)
Windows Server 2016
Windows 10 version 1607 for x64 systems
Windows 10 version 1607 for 32-bit systems
Windows 10 for x64 systems
Windows 10 for 32-bit systems
Windows 10 Version 21H2 for x64 systems
Windows 10 Version 21H2 for ARM64-based systems
Windows 10 version 21H2 for 32-bit systems
Windows 11 for ARM64-based systems
Windows 11 for x64 systems
Windows Server, version 20H2 (server kernel installation)
Windows 10 Version 20H2 for ARM64-based systems
Windows 10 version 20H2 for 32-bit systems
Windows 10 Version 20H2 for x64 systems
Windows Server 2022 Azure Edition Core Patch
Windows Server 2022 (server core installation)
Windows Server 2022
Windows 10 version 21H1 for 32-bit systems
Windows 10 Version 21H1 for ARM64-based systems
Windows 10 Version 21H1 for x64 systems
Windows Server 2019 (server core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based systems
Windows 10 Version 1809 for x64 systems
Windows 10 version 1809 for 32-bit systems

What can you do to protect yourself?

You can block exploit attempts for CVE-2022-30190 by disabling the MSDT URL protocol that hackers abuse to launch troubleshooters and run code on vulnerable systems. It is also advised to disable the preview pane in Windows Explorer to prevent exploit execution when previewing malicious documents.

To disable the MSDT URL protocol

Disabling the MSDT URL protocol prevents troubleshooters from launching as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help app and in System Settings as Other or Additional Troubleshooters. Follow these steps to disable:

Run the command prompt as an administrator.
To back up the registry key, run the command “reg export HKEY_CLASSES_ROOTms-msdt filename”
Run the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.

How to undo the workaround

Run the command prompt as an administrator.
To restore the registry key, run the command “reg import filename”

Zscaler coverage

Advanced Threat Protection

DOC.Exploit.CVE-2022-30190
XML/ABRisk.XNPT-2
XML/ABRisk.HRVC-3

Advanced Cloud Sandbox
Zscaler Advanced Cloud Sandbox would be able to classify and detect Word documents exploiting CVE-2022-30190 as malicious.

Our Cloud Sandbox report for a Word document exploiting CVE-2022-30190 is shown in Figure 1.

Fig 1: Sandbox Report for Docx file with CVE-2022-30190 exploit

Details related to threat signatures released by Zscaler can be found in the Zscaler Threat Library.

*** This is a syndicated blog from the Security Bloggers Network of Blog Category Feed written by Jithin Nair. Read the original post at: https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2022-30190-microsoft-windows-support-diagnostic-tool

Related posts:

  1. Should you consider upgrading to Microsoft’s Windows 11?
  2. Microsoft Windows Security Review: Minimum Effort
  3. Microsoft’s Windows Store Now Open to Third-Party App Stores
  4. Tech Matters: How To Switch Without Password With Microsoft Windows | News, Sports, Jobs
Terry J. Morgan
You might also like More from author

Comments are closed.