Background
On May 27, 2022, nao_sec found a malicious Word document submitted to Virustotal from a Belarus IP address. The document was abusing MS-MSDT URI scheme to execute PowerShell within the context of Word bypassing local Office macro policies. Microsoft has since released protection guidance and assigned CVE-2022-30190 to this vulnerability.
What is the issue?
Malicious Word documents can use the remote template feature to fetch an HTML file from a remote server and the HTML code can use Microsoft's MS-MSDT URI protocol scheme to load additional code and execute PowerShell code.
For most malicious Office documents, users have to be convinced to click two separate prompts:
- Enable editing (Protected Mode)
- Enable content (Run Macros)
To exploit this vulnerability, the attacker just needs the user to open the office document. If a RTF file is used with this exploit, the same vulnerability can be exploited if the user just previews the RTF file using the preview pane in Windows Explorer.
According to Microsoft, “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights”.
What systems are impacted?
This vulnerability impacts all client and server platforms running the following versions of Windows operating systems.
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation)
- Windows Server 2012
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows RT 8.1
- Windows 8.1 for x64-based systems
- Windows 8.1 for 32-bit systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows 7 for 32-bit Systems Service Pack 1
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows 10 Version 21H2 for x64-based Systems
- Windows 10 Version 21H2 for ARM64-based Systems
- Windows 10 Version 21H2 for 32-bit Systems
- Windows 11 for ARM64-based Systems
- Windows 11 for x64-based Systems
- Windows Server, version 20H2 (Server Core Installation)
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows Server 2022 Azure Edition Core Hotpatch
- Windows Server 2022 (Server Core installation)
- Windows Server 2022
- Windows 10 Version 21H1 for 32-bit Systems
- Windows 10 Version 21H1 for ARM64-based Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
What can you do to protect yourself?
You can block exploit attempts for CVE-2022-30190 by disabling the MSDT URL protocol which the threat actors abuse to launch troubleshooters and execute code on vulnerable systems. You are also advised to disable the Preview pane in Windows Explorer to prevent the exploit from executing when previewing malicious documents.
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Zscaler coverage
Advanced Threat Protection
- DOC.Exploit.CVE-2022-30190
- XML/ABRisk.XNPT-2
- XML/ABRisk.HRVC-3
Advanced Cloud Sandbox
Zscaler Advanced Cloud Sandbox would be able to classify and detect Word documents exploiting CVE-2022-30190 as malicious.
Our Cloud Sandbox Report for a Word document exploiting CVE-2022-30190 can be seen in Figure 1.
Fig 1: Sandbox Report for Docx file with CVE-2022-30190 exploit
Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library.