¡¾Îó²îͨ¸æ¡¿Microsoft MSDTí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2022-30190£©

Ðû²¼Ê±¼ä 2022-05-31

0x00 Îó²î¸ÅÊö

CVE   ID

CVE-2022-30190

·¢Ã÷ʱ¼ä

2022-05-30

Àà    ÐÍ

´úÂëÖ´ÐÐ

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ


Ó°Ïì¹æÄ£


¹¥»÷ÖØƯºó

µÍ

Óû§½»»¥

ÊÇ

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

ÊÇ

 

0x01 Îó²îÏêÇé

5ÔÂ30ÈÕ£¬Î¢ÈíÐû²¼Ç徲ͨ¸æ£¬Åû¶ÁË Microsoft MSDTÖеÄí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2022-30190£©£¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ7.8¡£ÏÖÔÚ¸ÃÎó²îÒѾ­¹ûÕæÅû¶£¬ÇÒÒѼì²âµ½ÔÚҰʹÓá£

MSDT£¨Microsoft Support Diagnostics Tool£¬Î¢ÈíÖ§³ÖÕï¶Ï¹¤¾ß£©ÊÇÒ»ÖÖÊÊÓóÌÐò£¬ÓÃÓÚɨ³ý¹ÊÕϲ¢ÍøÂçÕï¶ÏÊý¾ÝÒÔ¹©×¨ÒµÖ°Ô±ÆÊÎöÏ¢Õù¾öÎÊÌâ¡£

´Ó Word µÈŲÓÃÓ¦ÓóÌÐòʹÓà URL ЭÒéŲÓà MSDT ʱ±£´æ´úÂëÖ´ÐÐÎó²î£¬ÀÖ³ÉʹÓøÃÎó²î¿ÉÒÔʹÓÃŲÓÃÓ¦ÓóÌÐòµÄȨÏÞÔËÐÐí§Òâ´úÂ룬²¢ÔÚÓû§È¨ÏÞÔÊÐíµÄ¹æÄ£ÄÚ×°ÖóÌÐò£¬Éó²é¡¢¸ü¸Ä»òɾ³ýÊý¾Ý£¬»ò½¨ÉèÐÂÕË»§¡£Îó²î¸´ÏÖÈçÏ£º

image.png

¸ÃÎó²îÊÇÁ¥ÊôÓڰ׶íÂÞ˹µÄIPµØµãÉÏ´«µ½ VirusTotalµÄ¶ñÒâWord ÎĵµÖмì²âµ½µÄ¡£¶ñÒâÎļþͨ¹ýʹÓà Word µÄÔ¶³ÌÄ£°å¹¦Ð§´Ó·þÎñÆ÷»ñÈ¡ HTML Îļþ£¬È»ºóʹÓá°ms-msdt://¡±URI Ö´ÐÐ PowerShell ´úÂë¡£×ÝÈ»½ûÓÃÁ˺꣬Microsoft Word Ò²»áͨ¹ý msdtÖ´ÐдúÂë¡£±ðµÄ£¬µ±¶ñÒâÎļþÉúÑÄΪRTFÃûÌÃʱ£¬ÉõÖÁÎÞÐè·­¿ªÎļþ£¬Í¨¹ý×ÊÔ´ÖÎÀíÆ÷ÖеÄÔ¤ÀÀÑ¡Ï¼´¿ÉÔÚÄ¿µÄϵͳÉÏÖ´ÐÐí§Òâ´úÂë¡£

 

Ó°Ïì¹æÄ£

 Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 11 for ARM64-based Systems

Windows 11 for x64-based Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server 2022 Azure Edition Core Hotpatch

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

 

0x02 Çå¾²½¨Òé

΢ÈíÇå¾²ÏìÓ¦ÖÐÐÄÒѾ­Ðû²¼ÁË´ËÎó²îµÄÖ¸ÄÏ£¬ÊÜÓ°ÏìÓû§¿ÉÒÔÑ¡Ôñ½ûÓÃMSDT URLЭÒé»òÓ¦Ó÷ǹٷ½²¹¶¡£º

½ûÓÃMSDT URLЭÒé

½ûÓà MSDT URL ЭÒé¿É±ÜÃâ¹ÊÕÏɨ³ý³ÌÐò×÷ΪÁ´½ÓÆô¶¯£¬°üÀ¨Õû¸ö²Ù×÷ϵͳµÄÁ´½Ó¡£µ«ÈÔÈ»¿ÉÒÔʹÓÃÆäËü·½·¨»á¼û¹ÊÕÏɨ³ý³ÌÐò¡£

1.ÒÔÖÎÀíÔ±Éí·ÝÔËÐÐÏÂÁîÌáÐÑ·û¡£

2.Òª±¸·Ý×¢²á±íÏÇëÖ´ÐÐÏÂÁî¡°reg export HKEY_CLASSES_ROOT\ms-msdt filename¡°¡£

3.Ö´ÐÐÏÂÁî¡°reg delete HKEY_CLASSES_ROOT\ms-msdt /f¡±¡£

×÷·Ï£º

1.ÒÔÖÎÀíÔ±Éí·ÝÔËÐÐÏÂÁîÌáÐÑ·û¡£

2.Òª»Ö¸´±¸·Ý×¢²á±íÏÇëÖ´ÐÐÏÂÁî¡°reg import filename¡±¡£

±ðµÄ£¬Microsoft Defender ·À²¡¶¾Èí¼þʹÓüì²â°æ±¾1.367.719.0?»ò¸ü¸ß°æ±¾Îª¿ÉÄܵÄÎó²îʹÓÃÌṩ¼ì²âºÍ±£»¤£»Microsoft Defender for Endpoint Ϊ¿Í»§Ìṩ¼ì²âºÍ¾¯±¨£»Microsoft 365 Defender ÃÅ»§ÖеÄÒÔϾ¯±¨ÎÊÌâ¿ÉÒÔָʾÍøÂçÉϵÄÍþвÔ˶¯£º

l  Office Ó¦ÓóÌÐòµÄ¿ÉÒÉÐÐΪ

l  Msdt.exe µÄ¿ÉÒÉÐÐΪ

²Î¿¼Á´½Ó£º

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

 

·Ç¹Ù·½²¹¶¡

0patch ΢²¹¶¡·þÎñÖ÷ÒªÓÃÓÚÔÚ¹Ù·½ÐÞ¸´¿ÉÓÃ֮ǰ±£»¤ÏµÍ³¡£0patchÒѾ­Õë¶Ô´ËÎó²îΪijЩWindows°æ±¾Ðû²¼ÁËÃâ·ÑµÄ΢²¹¶¡£¬µ«¸Ã²¹¶¡²»»áÍêÈ«½ûÓÃMSDTЭÒé´¦Öóͷ£³ÌÐò£¬¶øÖ»ÊÇÔöÌíÁ˶ÔÓû§ÌṩµÄ·¾¶µÄÕûÀí¡£×¢ÖØ£¬ÒªÏÂÔØ´Ë΢²¹¶¡£¬ÐèҪע²á0patchÕÊ»§²¢×°ÖÃ0patch agent¡£¸Ã΢²¹¶¡ÊÊÓÃÓÚÒÔÏÂWindows°æ±¾£º

Windows 11 v21H2

Windows 10 v21H2

Windows 10 v21H1

Windows 10 v20H2

Windows 10 v2004

Windows 10 v1909

Windows 10 v1903

Windows 10 v1809

Windows 10 v1803

Windows 7

Windows Server 2008 R2

ÏÂÔØÁ´½Ó£º

https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html

 

ÆäËü½¨Òé

1.½¨Òé¹Ø±ÕWindows×ÊÔ´ÖÎÀíÆ÷ÖеÄÔ¤ÀÀ´°¸ñ£¬ÒÔÏû³ýËü×÷ΪԤÀÀ¶ñÒâÎļþʱ¿ÉʹÓõĹ¥»÷Ç°ÑÔ¡£

2. ÈôÊÇÄúʹÓÃMicrosoft DefenderµÄ Attack Surface Reduction(ASR)¹æÔò£¬Ôò¿ÉÔÚBlockģʽϼ¤»î¡°×èÖ¹ËùÓÐOfficeÓ¦ÓóÌÐò½¨Éè×ÓÀú³Ì¡±¹æÔò¡£ÈôÄú»¹Ã»ÓÐʹÓÃASR¹æÔò£¬¿ÉÏÈÔÚAuditģʽÏÂÔËÐйæÔò£¬ÊÓ²ìЧ¹ûÒÔÈ·±£²»»á¶ÔϵͳÔì³Éµ¹ÔËÓ°Ïì¡£

×¢ÖØ£ºÑо¿Ö°Ô±½«¼ì²âµ½ÔÚҰʹÓõÄ0 dayÎó²î±êʶΪMicrosoft Office ´úÂëÖ´ÐÐ0 dayÎó²î£¨³ÆΪ¡°Follina¡±£©£¬¸ÃÎó²îÓ°ÏìÁËOffice 2016 ºÍ Office 2021µÈ¡£±¾Í¨¸æÖ÷Òª²Î¿¼Î¢Èí¹Ù·½Í¨¸æMicrosoft Windows Ö§³ÖÕï¶Ï¹¤¾ß (MSDT) í§Òâ´úÂëÖ´ÐÐÎó²î¡£

 

0x03 ²Î¿¼Á´½Ó

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

 

0x04 °æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2022-05-31

Ê×´ÎÐû²¼

V2.0

2022-06-02

ÐÂÔö»º½â²½·¥µÈ

 

0x05 ¸½Â¼

×ðÁú¿­Ê±¼ò½é

×ðÁú¿­Ê±¹«Ë¾½¨ÉèÓÚ1996Ä꣬²¢ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉî½»ËùÖÐС°åÕýʽ¹ÒÅÆÉÏÊУ¬ÊǺ£ÄÚ¼«¾ßʵÁ¦µÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÍøÂçÇå¾²²úÆ·¡¢¿ÉÐÅÇå¾²ÖÎÀíƽ̨¡¢Çå¾²·þÎñÓë½â¾ö¼Æ»®µÄ×ÛºÏÌṩÉÌ¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°£¬ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÓзÖÖ§»ú¹¹£¬ÓµÓÐÁýÕÖÌìϵÄÇþµÀϵͳºÍÊÖÒÕÖ§³ÖÖÐÐÄ£¬²¢ÔÚ±±¾©¡¢ÉϺ£¡¢³É¶¼¡¢¹ãÖÝ¡¢³¤É³¡¢º¼ÖݵȶàµØÉèÓÐÑз¢ÖÐÐÄ¡£

¶àÄêÀ´£¬×ðÁú¿­Ê±ÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ù·þÎñ£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£


¹ØÓÚ×ðÁú¿­Ê±

×ðÁú¿­Ê±Çå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÖ÷ÒªÕë¶ÔÖ÷ÒªÇå¾²Îó²îµÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвÇ鱨ºÍÇå¾²±¨¸æ¡£

¹Ø×¢ÒÔϹ«Öںţ¬»ñÈ¡È«Çò×îÐÂÇå¾²×ÊѶ£º

image.png